Skip to content

fix(deps): update module github.com/pires/go-proxyproto to v0.15.0#907

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/github.com-pires-go-proxyproto-0.x
Open

fix(deps): update module github.com/pires/go-proxyproto to v0.15.0#907
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/github.com-pires-go-proxyproto-0.x

Conversation

@renovate

@renovate renovate Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/pires/go-proxyproto v0.13.0v0.15.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

pires/go-proxyproto (github.com/pires/go-proxyproto)

v0.15.0

Compare Source

v0.15.0

This release aligns the library with PROXY protocol spec 3.4 (2026/04/27). It tightens parsing and trust behavior to match the spec's requirements — which makes some previously accepted inputs and configurations fail loudly — and adds first-class support for the PROXY protocol over UDP.

⚠️ Breaking changes

The PROXY header is now required by default (2cd5f00)

  • A new DefaultPolicy package variable, set to REQUIRE, is applied by NewConn and Listener.Accept when no policy is configured. The spec forbids guessing whether a header is present, so headerless connections now fail their first Read with ErrNoProxyProtocol.
  • To restore the previous lax behavior: proxyproto.DefaultPolicy = proxyproto.USE.
  • TrustProxyHeaderFrom is now strict: trusted peers get REQUIRE and untrusted peers are dropped by Accept with an error wrapping ErrInvalidUpstream. Previously, untrusted headerless clients could slip through as raw connections.

Stricter v1/v2 header parsing per spec 3.4 (5914db8)

  • v1: the full PROXY token is validated; IPv6 zone IDs are rejected; plain IPv4 addresses in TCP6 lines are rejected (set V1AcceptIPv4InTCP6 for nginx interop); ports are parsed with leading zeros rejected and ranges validated on formatting.
  • v2: the family/transport whitelist now applies to LOCAL commands too, rejecting undefined bytes per spec 2.2. LOCAL headers with a valid address block decode addresses and TLVs and round-trip; ill-fitting ones are normalized to UNSPEC.
  • New MaxV2HeaderSize variable bounds the declared v2 length (default 4096) — raise it if you carry large TLVs such as PP2_SUBTYPE_SSL_CLIENT_CERT.
✨ New features

PROXY protocol over UDP (499ef90, fixes #​79)

  • New ParseUDPDatagram and Header.FormatUDPDatagram implement the spec's per-datagram semantics (header and payload share a single datagram) for use with any net.PacketConn.
  • The library deliberately ships no net.PacketConn wrapper — reply routing needs an application-policy flow table — but examples/udppacketconn is a runnable sketch of that pattern, alongside examples/udpserver and examples/udpclient for the plain paths.

Reworked trust policies (2cd5f00)

  • New PolicyFromRanges(ranges, matched, unmatched) and MustPolicyFromRanges supersede the whitelist policy family, which is deprecated and now delegates to them. The (REQUIRE, IGNORE) combination covers mixed proxied/direct traffic the old family couldn't express.
  • New CIDR-capable TrustProxyHeaderFromRanges.
  • All built-in policies wrap address-classification failures in ErrInvalidUpstream, so a single unclassifiable peer can no longer stop an accept loop.

TLV registry and PP2SSL caught up to spec 3.4 (4e80228)

  • Registered() now includes PP2_TYPE_GROUP, PP2_SUBTYPE_SSL_SIG_SCHEME, and PP2_SUBTYPE_SSL_CLIENT_CERT.
  • New PP2SSL accessors: SSLSigAlg, SSLKeyAlg, SSLGroup, SSLSigScheme.
🐛 Fixes
  • Header.EqualsTo no longer panics on nil addresses (5914db8).
  • formatVersion2 folds TLV length into the declared length for Unix families instead of emitting TLVs past it (5914db8).
🧪 Testing & CI
  • New fuzz/table suites: exhaustive 256-transport-byte sweeps for both v2 commands, a LOCAL decode matrix, byte-for-byte round-trip stability, and FuzzRead parse–format–reparse invariants (5914db8).
  • CI gains a fuzz job that auto-discovers fuzz targets and uploads crashers as artifacts; workflow actions bumped across the board (af4b18c).
  • Coverage for the http2 serveConn TLS handshake-failure branch (b01bea4).
📚 Documentation
  • README rewritten against spec 3.4: new Security section with the spec's trust requirements, a UDP section, an examples table, and warnings about the new REQUIRE default (bd986c0).

v0.14.0

Compare Source

What's Changed

Full Changelog: pires/go-proxyproto@v0.13.0...v0.14.0


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor Author

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
golang.org/x/net v0.49.0 -> v0.55.0

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 5, 2026

Copy link
Copy Markdown

Deploying gate-minekube with  Cloudflare Pages  Cloudflare Pages

Latest commit: 3044478
Status: ✅  Deploy successful!
Preview URL: https://bc7986bf.gate-minekube.pages.dev
Branch Preview URL: https://renovate-github-com-pires-go.gate-minekube.pages.dev

View logs

@renovate renovate Bot force-pushed the renovate/github.com-pires-go-proxyproto-0.x branch 3 times, most recently from 306435d to a5f10c5 Compare July 9, 2026 01:34
@renovate renovate Bot force-pushed the renovate/github.com-pires-go-proxyproto-0.x branch from a5f10c5 to 3044478 Compare July 9, 2026 16:35
@renovate renovate Bot changed the title fix(deps): update module github.com/pires/go-proxyproto to v0.14.0 fix(deps): update module github.com/pires/go-proxyproto to v0.15.0 Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants