Update module github.com/caddyserver/caddy/v2 to v2.11.4

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/caddyserver/caddy/v2	v2.11.2 → v2.11.4

---

Release Notes

caddyserver/caddy (github.com/caddyserver/caddy/v2)

v2.11.4

Compare Source

This release patches more security, security-adjacent, and normal bugs. The FrankenPHP project has collaborated on PHP-adjacent patches, which we are grateful for.

The recent surge of patches is mostly attributed to token predictors. We have had to reject more than 75% of "security" reports because they were AI slop spam (or just lazy/incorrect). Please use LLMs and agents wisely to avoid wasting precious maintainer resources. We have started blocking offending accounts that spam slop reports. Thank you to all who submit responsible reports following our security policy to make the project better. We appreciate that the community deems the Caddy project worthy of contribution to improve the broader ecosystem!

Security-related patches:

• caddyhttp: Normalize Windows backslashes in path matcher (thanks @​Vincent550102)
• rewrite: Prevent placeholder re-expansion in injected query (thanks @​WhiskerEnt)
• templates: Improved stripHTML action to more reliably remove malformed HTML (thanks to @​jmrcsnchz)
• caddyhttp: Ignore header fields with underscores to prevent collisions (thanks @​Vincent550102 for the report and @​dunglas for the patch)

There are also several other various fixes and enhancements by many other contributors. Thank you everyone who participated!

What's Changed

• reverseproxy: further prevent body closes from dial errors by @​jameshartig in #​7715
• caddytls: Fix client auth (fix #​7724) by @​mholt in #​7727
• chore: deps upgrade by @​mohammed90 in #​7751
• caddyhttp: omit Last-Modified for unusable mod times by @​bb4242 in #​7740
• caddytls: fix TLS state races and ECH rotation retry by @​broady in #​7756
• chore: clean up wording and typo fixes by @​steadytao in #​7745
• reverseproxy: Add regression test for DialInfo network override by @​eyupcanakman in #​7758
• caddyauth: add candidate placeholders for rejected identities by @​steadytao in #​7698
• cmd: support caddy start on IPv6-only hosts by @​steadytao in #​7744
• caddyfile: preserve implicit TLS issuer semantics by @​steadytao in #​7743
• reverseproxy: wraps request body to prevent closing if not read by @​WeidiDeng in #​7719
• caddytls: match IDN SNI in connection policies by @​steadytao in #​7742
• build(deps): bump the all-updates group across 1 directory with 9 updates by @​dependabot[bot] in #​7752
• caddyhttp: normalize Windows backslashes in path matcher by @​Vincent550102 in #​7763
• go.mod: update x/net by @​steadytao in #​7767
• rewrite: prevent placeholder re-expansion in injected query by @​WhiskerEnt in #​7761
• perf(replacer): optimize memory allocation for file placeholders by @​Jualhosting in #​7773
• caddytls: skip idna.ToASCII for pure ASCII SNI values by @​sleet0922 in #​7770
• encode: prioritize zstd and br over gzip in content negotiation by @​Jualhosting in #​7772
• httpcaddyfile: fix incorrect error message on duplicate matchers by @​Brunotlps in #​7780
• Patch for GHSA-vcc4-2c75-vc9v by @​jmrcsnchz in #​7785

New Contributors

• @​jameshartig made their first contribution in #​7715
• @​bb4242 made their first contribution in #​7740
• @​broady made their first contribution in #​7756
• @​eyupcanakman made their first contribution in #​7758
• @​Vincent550102 made their first contribution in #​7763
• @​WhiskerEnt made their first contribution in #​7761
• @​Jualhosting made their first contribution in #​7773
• @​sleet0922 made their first contribution in #​7770
• @​Brunotlps made their first contribution in #​7780
• @​jmrcsnchz made their first contribution in #​7785

Full Changelog: caddyserver/caddy@v2.11.3...v2.11.4

v2.11.3

Compare Source

This release improves several aspects of Caddy with minor features, bug fixes, and security patches. Thank you to everyone and their bots who contributed to help make this release the best one yet!

Security patches:

• fastcgi: Carrying over a patch from FrankenPHP for a bug that could allow non-PHP files to be executed; collaborated on by @​dunglas, @​KC1zs4, and @​chenjj.
• vars: A more thorough fix for GHSA-m2w3-8f23-hxxf, collaborated by @​everping and @​vnxme.
• admin: Array index normalization to prevent remote admin socket auth bypass, by @​Amemoyoi and bot.
• admin: More rigorous path prefix matching to prevent remote admin socket auth bypass, by @​Amemoyoi and bot.

We've also merged a couple PRs that fix upstream security bugs in other projects like quic-go and CertMagic. Thank you to @​marten-seemann for maintaining quic-go so diligently!

What's Changed

• caddyhttp: Sync placeholder expansion in vars and vars_regexp by @​vnxme in #​7573
• caddytls: Avoid ACME fallback for implicit Tailscale *.ts.net policies by @​steadytao in #​7577
• chore: Resolve recent CI failures by @​mholt in #​7593
• caddytls: Consolidate empty APs more smartly by @​mholt in #​7567
• rewrite: skip query rename when source key is absent by @​steadytao in #​7599
• root: introduce down-propagating Helper.BlockState for other directives/plugins to use by @​henderkes in #​7594
• http: make zstd checksum configurable by @​ottenhoff in #​7586
• notify: Always send "READY=1" even after an error by @​francislavoie in #​7597
• reverseproxy: Fix check for header_up Host {upstream_hostport} redundancy by @​yubiuser in #​7564
• caddytls: Expand placeholders in dns_challenge override_domain tls parameter by @​pberkel in #​7609
• tls: add system and combined CA pool modules by @​HarshPatel5940 in #​7406
• vars: Don't expand placeholders in values by @​vnxme in #​7629
• build(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp from 1.42.0 to 1.43.0 by @​dependabot[bot] in #​7637
• build(deps): bump the all-updates group across 1 directory with 11 updates by @​dependabot[bot] in #​7641
• reverseproxy: make stream copy buffer size configurable by @​steadytao in #​7627
• vars: Add matcher placeholder handling tests by @​steadytao in #​7640
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @​dependabot[bot] in #​7621
• logging: Add journald encoder wrapper by @​steadytao in #​7623
• caddyfile: Improve import/global options UX for imports before global options by @​steadytao in #​7642
• chore: replace interface{} with any for modernization by @​tsinglua in #​7571
• chore: bump timberjack to v1.4.1 by @​DeRuina in #​7618
• logging: Preserve ts for journald-wrapped JSON logs by @​steadytao in #​7644
• fileserver: show symlink targets verbatim (#​7476) by @​maxtruxa in #​7579
• fix(caddyfile): {block} in snippet by @​prettysunflower in #​7558
• caddyhttp: Document missing placeholders for escaped URI and prefixed query by @​steffenbusch in #​7659
• chore: add AGENTS.md by @​mohammed90 in #​7652
• build(deps): bump github.com/jackc/pgx/v5 from 5.8.0 to 5.9.0 by @​dependabot[bot] in #​7655
• admin: Redact sensitive request headers in API logs by @​steadytao in #​7578
• reverseproxy: add lb_retry_match condition on response status by @​seroperson in #​7569
• caddyhttp: prefer port 443 in auto-HTTPS and add tests by @​mholt in #​7666
• fix: Propagate ECH keys to the QUIC listener by @​steadytao in #​7670
• chore: Use atomics where appropriate by @​francislavoie in #​7648
• metrics: Implement pushing via OLTP by @​dunglas in #​7664
• logging: Add regression coverage for rotated file mode by @​steadytao in #​7620
• httpcaddyfile: Inherit global ACME issuer settings in tls shortcuts by @​steadytao in #​7617
• build(deps): bump github.com/jackc/pgx/v5 from 5.9.0 to 5.9.2 by @​dependabot[bot] in #​7668
• admin: require path segment boundary in remote access control by @​Amemoyoi in #​7673
• reverseproxy: Add ability to clear dynamic upstreams cache during retries by @​mholt in #​7662
• listeners: clean up stale Unix socket files on Windows by @​mfrischknecht in #​7676
• admin: reject non-canonical config array indices by @​Amemoyoi in #​7592
• caddytls: Expand ACME credentials by @​tribut in #​7554
• caddyauth: set user placeholders before auth rejection by @​cyphercodes in #​7685
• caddyauth: revert user placeholders on auth rejection by @​steadytao in #​7688
• chore: Fix golangci-lint 2.12.1 findings by @​steadytao in #​7690
• httpcaddyfile: accept duration strings for log sampling interval by @​tomholford in #​7694
• tls: Add alpn to managed HTTPS records by @​steadytao in #​7653
• caddytls: avoid duplicate automation for wildcard-covered hosts by @​Rijul-A in #​7697
• docs: add documentation for fileExists and fileStat template functions by @​steffenbusch in #​7700
• rewrite: escape file matcher paths before rewriting by @​cyphercodes in #​7683
• metrics: Add nil check for metricsHandler in AdminMetrics.serveHTTP by @​Br1an67 in #​7553

New Contributors

• @​steadytao made their first contribution in #​7577
• @​henderkes made their first contribution in #​7594
• @​yubiuser made their first contribution in #​7564
• @​pberkel made their first contribution in #​7609
• @​HarshPatel5940 made their first contribution in #​7406
• @​tsinglua made their first contribution in #​7571
• @​maxtruxa made their first contribution in #​7579
• @​seroperson made their first contribution in #​7569
• @​Amemoyoi made their first contribution in #​7673
• @​mfrischknecht made their first contribution in #​7676
• @​tribut made their first contribution in #​7554
• @​cyphercodes made their first contribution in #​7685
• @​tomholford made their first contribution in #​7694
• @​Rijul-A made their first contribution in #​7697
• @​Br1an67 made their first contribution in #​7553

Full Changelog: caddyserver/caddy@v2.11.2...v2.11.3

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 36 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.0 -> 1.25.1
cloud.google.com/go/auth	v0.18.1 -> v0.20.0
github.com/caddyserver/certmagic	v0.25.2 -> v0.25.3
github.com/go-jose/go-jose/v3	v3.0.4 -> v3.0.5
github.com/go-jose/go-jose/v4	v4.1.3 -> v4.1.4
github.com/go-sql-driver/mysql	v1.8.1 -> v1.9.3
github.com/google/cel-go	v0.27.0 -> v0.28.1
github.com/googleapis/enterprise-certificate-proxy	v0.3.11 -> v0.3.15
github.com/googleapis/gax-go/v2	v2.17.0 -> v2.22.0
github.com/jackc/pgservicefile	v0.0.0-20221227161230-091c0ba34f0a -> v0.0.0-20240606120523-5a60cdf6a761
github.com/jackc/pgx/v5	v5.6.0 -> v5.9.2
github.com/jackc/puddle/v2	v2.2.1 -> v2.2.2
github.com/klauspost/compress	v1.18.4 -> v1.18.6
github.com/prometheus/procfs	v0.19.2 -> v0.20.1
github.com/quic-go/quic-go	v0.59.0 -> v0.59.1
github.com/smallstep/certificates	v0.30.0-rc3 -> v0.30.2
github.com/smallstep/nosql	v0.7.0 -> v0.8.0
go.etcd.io/bbolt	v1.3.10 -> v1.4.3
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.65.0 -> v0.68.0
go.opentelemetry.io/otel	v1.40.0 -> v1.43.0
go.step.sm/crypto	v0.76.2 -> v0.81.0
go.uber.org/zap	v1.27.1 -> v1.28.0
go.yaml.in/yaml/v2	v2.4.3 -> v2.4.4
golang.org/x/crypto	v0.48.0 -> v0.52.0
golang.org/x/mod	v0.33.0 -> v0.35.0
golang.org/x/net	v0.51.0 -> v0.55.0
golang.org/x/oauth2	v0.35.0 -> v0.36.0
golang.org/x/sync	v0.19.0 -> v0.20.0
golang.org/x/sys	v0.41.0 -> v0.45.0
golang.org/x/term	v0.40.0 -> v0.43.0
golang.org/x/text	v0.34.0 -> v0.37.0
golang.org/x/time	v0.14.0 -> v0.15.0
golang.org/x/tools	v0.42.0 -> v0.44.0
google.golang.org/api	v0.266.0 -> v0.277.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260128011058-8636f8732409 -> v0.0.0-20260406210006-6f92a3bedf2d
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260203192932-546029d2fa20 -> v0.0.0-20260427160629-7cedc36a6bc4
google.golang.org/grpc	v1.79.1 -> v1.81.0