Skip to content

build(deps): bump github.com/abczzz13/clientip from 0.0.5 to 0.0.6 in /prometheus#18

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/prometheus/github.com/abczzz13/clientip-0.0.6
Open

build(deps): bump github.com/abczzz13/clientip from 0.0.5 to 0.0.6 in /prometheus#18
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/prometheus/github.com/abczzz13/clientip-0.0.6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Feb 20, 2026

Bumps github.com/abczzz13/clientip from 0.0.5 to 0.0.6.

Release notes

Sourced from github.com/abczzz13/clientip's releases.

v0.0.6

What's Changed

Full Changelog: v0.0.5...v0.0.6

Changelog

Sourced from github.com/abczzz13/clientip's changelog.

[0.0.6] - 2026-02-18

Added

  • Framework-agnostic extraction API: RequestInput, HeaderValues, HeaderValuesFunc, Extractor.ExtractFrom, and Extractor.ExtractAddrFrom.
  • One-shot helpers for framework-agnostic input: ExtractFromWithOptions and ExtractAddrFromWithOptions.
  • New examples and tests covering framework-style integrations, parity with net/http extraction behavior, context/path propagation for logging, and cancellation behavior for framework header providers.
  • Additional Forwarded parser tests for quoted delimiters/escapes and malformed quoted-value edge cases.
  • Benchmark coverage for ExtractFrom with both http.Header and HeaderValuesFunc header providers, plus parameter-rich Forwarded header extraction.
  • New option AllowReservedClientPrefixes(...netip.Prefix) to explicitly allow selected reserved/special-use client ranges.

Changed

  • Internal extraction now keeps *http.Request as the core representation; ExtractFrom adapts RequestInput into a minimal request while preserving existing security behavior for duplicate single-IP headers and trusted-proxy validation.
  • ExtractFrom now avoids header adaptation work for remote-address-only priority, lazily materializes header maps for custom header providers, and checks RequestInput.Context cancellation before consulting header providers.
  • Header-based source extraction now uses canonicalized precomputed header keys with direct map lookups (http.Header[key]) on hot paths.
  • Forwarded parsing now uses a single-pass segment scanner that respects quoted delimiters and escape sequences while preserving strict malformed-header validation.
  • X-Forwarded-For extraction now combines multiple header lines into one logical chain (matching Forwarded) instead of treating duplicates as a terminal error, and no longer emits the multiple_headers security event for this case.
  • Removed ErrMultipleXFFHeaders; duplicate-line handling for X-Forwarded-For is no longer an error condition.
  • Option APIs are now typed-first: trusted proxy configuration now uses TrustProxyPrefixes, TrustProxyAddrs, MinTrustedProxies, and MaxTrustedProxies; reserved-range allowlisting now uses AllowReservedClientPrefixes; and per-call overrides use TrustedProxyPrefixes and AllowReservedClientPrefixes fields. This replaces TrustedProxies, TrustedCIDRs, TrustProxyIP, MinProxies, MaxProxies, and AllowReservedClientCIDRs.
Commits
  • 71361c4 release: v0.0.6
  • 7270bf8 perf: combine xff in chain and reduce extration overhead (#16)
  • efe381f refactor!: switch trust/allowlist options to typed netip APIs (#15)
  • e0bc186 feat: add framework-agnostic extraction via RequestInput (#14)
  • 4f9443e perf: optimize header extraction paths and harden Forwarded parsing (#13)
  • d0d4e72 chore(prometheus): bump clientip to v0.0.5 (#12)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump github.com/abczzz13/clientip in /prometheus
ad11a74 
Bumps [github.com/abczzz13/clientip](https://github.com/abczzz13/clientip) from 0.0.5 to 0.0.6.
- [Release notes](https://github.com/abczzz13/clientip/releases)
- [Changelog](https://github.com/abczzz13/clientip/blob/main/CHANGELOG.md)
- [Commits](v0.0.5...v0.0.6)

---
updated-dependencies:
- dependency-name: github.com/abczzz13/clientip
  dependency-version: 0.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants