fix(deps): update go dependencies (#37967)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [gitea.com/gitea/runner](https://gitea.com/gitea/runner) | `v1.0.5` →
`v1.0.6` |
|
|
|
[github.com/aws/aws-sdk-go-v2/credentials](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.19.16` → `v1.19.17` |
|
|
|
[github.com/getkin/kin-openapi](https://redirect.github.com/getkin/kin-openapi)
| `v0.138.0` → `v0.139.0` |
|
|
| [github.com/go-chi/chi/v5](https://redirect.github.com/go-chi/chi) |
`v5.2.5` → `v5.3.0` |
|
|
|
[github.com/go-webauthn/webauthn](https://redirect.github.com/go-webauthn/webauthn)
| `v0.17.3` → `v0.17.4` |
|
|
|
[github.com/minio/minio-go/v7](https://redirect.github.com/minio/minio-go)
| `v7.1.0` → `v7.2.0` |
|
|
|
[gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go)
| `v2.30.0` → `v2.34.0` |
|
|
---
### Release Notes
<details>
<summary>gitea/runner (gitea.com/gitea/runner)</summary>
### [`v1.0.6`](https://gitea.com/gitea/runner/releases/tag/v1.0.6)
[Compare Source](https://gitea.com/gitea/runner/compare/v1.0.5...v1.0.6)
#### Changelog
- fix(deps): update module github.com/opencontainers/selinux to v1.15.0
([#​990](https://redirect.github.com/gitea/runner/issues/990))
- chore: pin Docker base images to explicit versions
([#​992](https://redirect.github.com/gitea/runner/issues/992))
- chore(deps): update actions/setup-node action to v6
([#​991](https://redirect.github.com/gitea/runner/issues/991))
- test: make TestRunEvent integration suite runnable locally
([#​987](https://redirect.github.com/gitea/runner/issues/987))
- ci: add PR title linting against Conventional Commits
([#​988](https://redirect.github.com/gitea/runner/issues/988))
- fix: clean up job network and container when container start fails
([#​986](https://redirect.github.com/gitea/runner/issues/986))
</details>
<details>
<summary>getkin/kin-openapi (github.com/getkin/kin-openapi)</summary>
###
[`v0.139.0`](https://redirect.github.com/getkin/kin-openapi/releases/tag/v0.139.0)
[Compare
Source](https://redirect.github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0)
#### What's Changed
- feat(openapi3): batch-convert long-tail RequiredFieldError sites by
[@​reuvenharrison](https://redirect.github.com/reuvenharrison) in
[#​1170](https://redirect.github.com/getkin/kin-openapi/pull/1170)
- feat(openapi3): typed validation error clusters (combined:
[#​1171](https://redirect.github.com/getkin/kin-openapi/issues/1171)-[#​1179](https://redirect.github.com/getkin/kin-openapi/issues/1179))
by [@​reuvenharrison](https://redirect.github.com/reuvenharrison)
in
[#​1180](https://redirect.github.com/getkin/kin-openapi/pull/1180)
- openapi3gen: skip component export for anonymous types by
[@​0-don](https://redirect.github.com/0-don) in
[#​1163](https://redirect.github.com/getkin/kin-openapi/pull/1163)
- feat: migrate to oasdiff/yaml v0.1.0 single Unmarshal API + enable
DisableTimestamps by
[@​reuvenharrison](https://redirect.github.com/reuvenharrison) in
[#​1181](https://redirect.github.com/getkin/kin-openapi/pull/1181)
- openapi3: typed context errors for Validate() wrapper chain by
[@​reuvenharrison](https://redirect.github.com/reuvenharrison) in
[#​1183](https://redirect.github.com/getkin/kin-openapi/pull/1183)
- openapi3: track Origin on the document root (T) by
[@​reuvenharrison](https://redirect.github.com/reuvenharrison) in
[#​1184](https://redirect.github.com/getkin/kin-openapi/pull/1184)
- openapi3: tests flakiness corrected by
[@​fenollp](https://redirect.github.com/fenollp) in
[#​1159](https://redirect.github.com/getkin/kin-openapi/pull/1159)
- openapi3: aggregate independent validation errors via EnableMultiError
by [@​reuvenharrison](https://redirect.github.com/reuvenharrison)
in
[#​1185](https://redirect.github.com/getkin/kin-openapi/pull/1185)
- openapi3: fix validation of duplicated path templates by
[@​reuvenharrison](https://redirect.github.com/reuvenharrison) in
[#​1189](https://redirect.github.com/getkin/kin-openapi/pull/1189)
- openapi3: type the remaining bare-error validation sites by
[@​reuvenharrison](https://redirect.github.com/reuvenharrison) in
[#​1187](https://redirect.github.com/getkin/kin-openapi/pull/1187)
**Full Changelog**:
<https://github.com/getkin/kin-openapi/compare/v0.138.0...v0.139.0>
</details>
<details>
<summary>go-chi/chi (github.com/go-chi/chi/v5)</summary>
###
[`v5.3.0`](https://redirect.github.com/go-chi/chi/releases/tag/v5.3.0)
[Compare
Source](https://redirect.github.com/go-chi/chi/compare/v5.2.5...v5.3.0)
#### What's Changed
- Use strings.ReplaceAll where applicable by
[@​JRaspass](https://redirect.github.com/JRaspass) in
[#​1046](https://redirect.github.com/go-chi/chi/pull/1046)
- Propagate inline middlewares across mounted subrouters by
[@​LukasJenicek](https://redirect.github.com/LukasJenicek) in
[#​1049](https://redirect.github.com/go-chi/chi/pull/1049)
- add go 1.26 to ci by
[@​pkieltyka](https://redirect.github.com/pkieltyka) in
[#​1052](https://redirect.github.com/go-chi/chi/pull/1052)
- Remove last uses of io/ioutil by
[@​JRaspass](https://redirect.github.com/JRaspass) in
[#​1054](https://redirect.github.com/go-chi/chi/pull/1054)
- Simplify chi.walk with slices.Concat by
[@​JRaspass](https://redirect.github.com/JRaspass) in
[#​1053](https://redirect.github.com/go-chi/chi/pull/1053)
- Apply the stringscutprefix modernizer by
[@​JRaspass](https://redirect.github.com/JRaspass) in
[#​1051](https://redirect.github.com/go-chi/chi/pull/1051)
- Bump minimum Go to 1.23, always use request.Pattern by
[@​JRaspass](https://redirect.github.com/JRaspass) in
[#​1048](https://redirect.github.com/go-chi/chi/pull/1048)
- middleware: fix httpFancyWriter.ReadFrom double-counting bytes with
Tee by [@​alliasgher](https://redirect.github.com/alliasgher) in
[#​1085](https://redirect.github.com/go-chi/chi/pull/1085)
- Fix typo in Route doc comment by
[@​gouwazi](https://redirect.github.com/gouwazi) in
[#​1073](https://redirect.github.com/go-chi/chi/pull/1073)
- fix: set Request.Pattern from RoutePattern() by
[@​leno23](https://redirect.github.com/leno23) in
[#​1097](https://redirect.github.com/go-chi/chi/pull/1097)
- feat: middleware.ClientIP, a replacement for middleware.RealIP by
[@​VojtechVitek](https://redirect.github.com/VojtechVitek) in
[#​967](https://redirect.github.com/go-chi/chi/pull/967)
#### New Contributors
- [@​LukasJenicek](https://redirect.github.com/LukasJenicek) made
their first contribution in
[#​1049](https://redirect.github.com/go-chi/chi/pull/1049)
- [@​alliasgher](https://redirect.github.com/alliasgher) made
their first contribution in
[#​1085](https://redirect.github.com/go-chi/chi/pull/1085)
- [@​gouwazi](https://redirect.github.com/gouwazi) made their
first contribution in
[#​1073](https://redirect.github.com/go-chi/chi/pull/1073)
- [@​leno23](https://redirect.github.com/leno23) made their first
contribution in
[#​1097](https://redirect.github.com/go-chi/chi/pull/1097)
#### SECURITY: middleware.ClientIP, a replacement for middleware.RealIP
[@​VojtechVitek](https://redirect.github.com/VojtechVitek)
submitted PR
[#​967](https://redirect.github.com/go-chi/chi/issues/967), which
introduces middleware.ClientIP — a replacement for middleware.RealIP
that closes the three open spoofing advisories:
-
[GHSA-9g5q-2w5x-hmxf](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-9g5q-2w5x-hmxf)
— IP spoofing via XFF in `RemoteAddr` resolution (convto)
-
[GHSA-rjr7-jggh-pgcp](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-rjr7-jggh-pgcp)
— RealIP allows IP spoofing via unvalidated XFF (rezmoss)
-
[GHSA-3fxj-6jh8-hvhx](https://redirect.github.com/go-chi/chi/security/advisories/GHSA-3fxj-6jh8-hvhx)
— IP spoofing in `middleware.RealIP` (Saku0512, Critical / 9.3)
It also addresses issues outlined at:
- [#​708](https://redirect.github.com/go-chi/chi/issues/708)
- <https://adam-p.ca/blog/2022/03/x-forwarded-for/>
- [#​711](https://redirect.github.com/go-chi/chi/issues/711)
- [#​453](https://redirect.github.com/go-chi/chi/issues/453)
- [#​908](https://redirect.github.com/go-chi/chi/pull/908)
`middleware.RealIP` is deprecated in this PR with pointers to the new
API.
The deprecation only adds a `// Deprecated:` doc comment; the function
keeps working for backward compatibility.
##### Why a new middleware (not "fix RealIP in place")
`RealIP` has two unfixable design choices: it mutates `r.RemoteAddr`,
and it tries to be a one-size-fits-all default by walking a hard-coded
list of headers any client can supply. Per [adam-p's "The perils of the
'real' client IP"](https://adam-p.ca/blog/2022/03/x-forwarded-for/)
(which calls chi out by name on this), there is no safe default — the
user must pick their trust source explicitly.
##### The new API
Four middlewares, two accessors. Pick exactly one middleware based on
your
infrastructure, read the result with one of the two accessors:
```go
// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
func ClientIPFromRemoteAddr(h http.Handler) http.Handler
// Read the result.
func GetClientIP(ctx context.Context) string // for logs, rate-limit keys
func GetClientIPAddr(ctx context.Context) netip.Addr // for typed work
```
#### Example usage:
```go
// Pick a single ClientIP middleware based on your deployment
// Cloudflare.
r.Use(middleware.ClientIPFromHeader("CF-Connecting-IP"))
// Nginx with ngx_http_realip_module.
r.Use(middleware.ClientIPFromHeader("X-Real-IP"))
// Apache with mod_remoteip.
r.Use(middleware.ClientIPFromHeader("X-Client-IP"))
// AWS CloudFront, or any proxy fleet with known CIDRs.
r.Use(middleware.ClientIPFromXFF(
"13.32.0.0/15", // CloudFront IPv4
"52.46.0.0/18", // CloudFront IPv4
"2600:9000::/28", // CloudFront IPv6
))
// Behind exactly 2 trusted proxies with dynamic IPs (autoscaling pools,
// ephemeral containers, dynamic CDN edges).
r.Use(middleware.ClientIPFromXFFTrustedProxies(2))
// Server directly on the public internet, no proxy in front.
r.Use(middleware.ClientIPFromRemoteAddr)
```
And in your handler or downstream middleware:
```go
clientIP := middleware.GetClientIP(r.Context())
// log it, use it as a rate-limit key, etc.
```
***
Thanks to [@​adam-p](https://redirect.github.com/adam-p),
[@​c2h5oh](https://redirect.github.com/c2h5oh),
[@​rezmoss](https://redirect.github.com/rezmoss),
[@​Saku0512](https://redirect.github.com/Saku0512),
[@​convto](https://redirect.github.com/convto),
[@​Dirbaio](https://redirect.github.com/Dirbaio),
[@​jawnsy](https://redirect.github.com/jawnsy),
[@​lrstanley](https://redirect.github.com/lrstanley),
[@​mfridman](https://redirect.github.com/mfridman),
[@​n33pm](https://redirect.github.com/n33pm),
[@​pkieltyka](https://redirect.github.com/pkieltyka) for the prior
discussions, detailed reviews, advisory reports, and test contributions
that shaped this PR.
**Full Changelog**:
<https://github.com/go-chi/chi/compare/v5.2.5...v5.3.0>
</details>
<details>
<summary>go-webauthn/webauthn
(github.com/go-webauthn/webauthn)</summary>
###
[`v0.17.4`](https://redirect.github.com/go-webauthn/webauthn/blob/HEAD/CHANGELOG.md#v0174-2026-05-22)
[Compare
Source](https://redirect.github.com/go-webauthn/webauthn/compare/v0.17.3...v0.17.4)
##### Dependency Updates
This release just contains updates to dependencies.
</details>
<details>
<summary>minio/minio-go (github.com/minio/minio-go/v7)</summary>
###
[`v7.2.0`](https://redirect.github.com/minio/minio-go/releases/tag/v7.2.0)
[Compare
Source](https://redirect.github.com/minio/minio-go/compare/v7.1.0...v7.2.0)
#### What's Changed
- Use go tool for ci-lint check by
[@​klauspost](https://redirect.github.com/klauspost) in
[#​2229](https://redirect.github.com/minio/minio-go/pull/2229)
- Rename github.com/go-ini/ini to gopkg.in/ini.v1 by
[@​ramondeklein](https://redirect.github.com/ramondeklein) in
[#​2232](https://redirect.github.com/minio/minio-go/pull/2232)
- Add RDMA / NVIDIA GPU Direct Storage support by
[@​harshavardhana](https://redirect.github.com/harshavardhana) in
[#​2233](https://redirect.github.com/minio/minio-go/pull/2233)
**Full Changelog**:
<https://github.com/minio/minio-go/compare/v7.1.0...v7.2.0>
</details>
<details>
<summary>gitlab-org/api/client-go
(gitlab.com/gitlab-org/api/client-go/v2)</summary>
###
[`v2.34.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.34.0)
[Compare
Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0)
#### 2.34.0
##### 🚀 Features
- Extend DeploymentDeployablePipeline with web_url
([!2902](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2902))
by [Jan Berge Sommerdahl](https://gitlab.com/sommerdahl)
##### 🔄 Other Changes
- chore(deps): update docker docker tag to v29.5.1
([!2903](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2903))
by [GitLab Dependency
Bot](https://gitlab.com/gitlab-dependency-update-bot)
###
[2.34.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.33.0...v2.34.0)
(2026-05-27)
###
[`v2.33.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.33.0)
[Compare
Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0)
#### 2.33.0
##### 🚀 Features
- feat(work-items): add ListWorkItemTypes to WorkItemsService
([!2864](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2864))
by [Emmanuel 326](https://gitlab.com/Emmanuel326)
##### 🔄 Other Changes
- chore(deps): update module cel.dev/expr to v0.25.2
([!2881](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2881))
by [GitLab Dependency
Bot](https://gitlab.com/gitlab-dependency-update-bot)
###
[2.33.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.32.0...v2.33.0)
(2026-05-27)
##### Features
* **work-items:** add ListWorkItemTypes to WorkItemsService
([e71cb99](https://gitlab.com/gitlab-org/api/client-go/commit/e71cb994482aa882eb8eb9fc4140ca1e4aac25ab))
###
[`v2.32.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.32.0)
[Compare
Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.31.0...v2.32.0)
#### 2.32.0
##### 🚀 Features
- feat(ci-job-cancel): force cancel
([!2872](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2872))
by [Filip Aleksic](https://gitlab.com/faleksic)
###
[2.32.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.31.0...v2.32.0)
(2026-05-23)
##### Features
* **ci-job-cancel:** force cancel
([aa46bd1](https://gitlab.com/gitlab-org/api/client-go/commit/aa46bd18428834eebdb42622f2523c64686021e8))
###
[`v2.31.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.31.0)
[Compare
Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.30.0...v2.31.0)
#### 2.31.0
##### 🚀 Features
- Adds project service accounts API
([!2899](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2899))
by [Jimmy Spagnola](https://gitlab.com/jspagnola)
- feat(gitlaboauth2): support ephemeral ports in CallbackServer
([!2877](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2877))
by [Raphael Rösch](https://gitlab.com/raphael.roesch)
###
[2.31.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.30.0...v2.31.0)
(2026-05-22)
##### Features
* **gitlaboauth2:** support ephemeral ports in CallbackServer
([c8c388d](https://gitlab.com/gitlab-org/api/client-go/commit/c8c388d56663a8f2e27b4c74f1323d3671a6bbaf))
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Only on Monday (`* * * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
5fe77ad309