Update module github.com/caddyserver/caddy/v2 to v2.10.2

[red-hat-konflux]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/caddyserver/caddy/v2	v2.10.0-beta.2 -> v2.10.2

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

caddyserver/caddy (github.com/caddyserver/caddy/v2)

v2.10.2

Compare Source

This is a hotfix release to fix a couple critical issues from v2.10.1

What's Changed

• http: Make logger first, before TLS provisioning by @​francislavoie in #​7198
• httpcaddyfile: Fix acme_dns regression by @​francislavoie in #​7199
• caddyfile: Fix importing nested tokens for {block} by @​BeeJay28 in #​7189

Changelog

• 551f793 caddyfile: Fix importing nested tokens for {block} (#​7189)
• 16fe83c http: Make logger first, before TLS provisioning (#​7198)
• 4564261 httpcaddyfile: Fix acme_dns regression (#​7199)

New Contributors

• @​BeeJay28 made their first contribution in #​7189

Full Changelog: caddyserver/caddy@v2.10.1...v2.10.2

v2.10.1

Compare Source

This is probably our biggest patch release ever -- not that lots of things were broken, but there's lots of refinement happening thanks to broader adoption and contributions from many more people. Just look at the New Contributors below!

Anyway, this release does contain some bug fixes and dependency upgrades which we hope will serve you well. Let us know if there's any issues! And thank you to all who contributed, especially our reliable maintainer team!

This version of Caddy requires Go v1.25.0 or newer.

What's Changed

• update quic-go to v0.51.0 by @​marten-seemann in #​6972
• forwardproxy: reference correct field name in LoadModule by @​mohammed90 in #​6978
• fix: Remove nil arg from zapslog.NewHandler call by @​IndraGunawan in #​6984
• fileserver: Add support for .avif image format by @​steffenbusch in #​6988
• reverseproxy: use DialTLSContext for TLS if servername has placeholder by @​WeidiDeng in #​6955
• admin: Make sure that any admin routers are provisioned when local/re… by @​Compy in #​6997
• log: default logger should respect {in,ex}clude by @​mohammed90 in #​6995
• Move local admin server replacement logic below data structure initia… by @​Compy in #​7004
• acme_server: fix policy parsing in caddyfile by @​mohammed90 in #​7006
• implement Unwrap for interceptedResponseHandler by @​WeidiDeng in #​7016
• fileserver: map invalid path errors to fs.ErrInvalid, and return 400 … by @​Compy in #​7017
• caddyhttp: fix route sort by comparing paths without wildcard if they don't shar… by @​WeidiDeng in #​7015
• refactor: use maps.Copy for cleaner map handling by @​eveneast in #​7009
• refactor: use slices.Contains to simplify code by @​tongjicoder in #​7039
• chore: upgrade .golangci.yml and workflow to v2 by @​mohammed90 in #​6924
• build(deps): bump golangci/golangci-lint-action from 6 to 8 by @​dependabot[bot] in #​7044
• fix: crash - null check on event origin by @​suxatcode in #​7047
• fix: prevent error handler from overriding sub handler matchers by @​Hellio404 in #​6999
• client_auth: wire up leaf verifier Caddyfile by @​mohammed90 in #​6772
• caddyfile: reject blocks in log_skip directive by @​IwatsukaYura in #​7056
• build(deps): bump github.com/cloudflare/circl from 1.6.0 to 1.6.1 by @​dependabot[bot] in #​7058
• cmd: fix Commands function not returning all registered commands by @​hslatman in #​7059
• ci: add dep review, OSSF scorecard actions by @​mohammed90 in #​7063
• ci: add {base,head}-ref to dep review check by @​mohammed90 in #​7064
• core: clean up new config if it failed to run by @​WeidiDeng in #​7068
• chore: apply security best practices for CI by @​mohammed90 in #​7066
• refactor: use the built-in max/min to simplify the code by @​xiaoxiangirl in #​7081
• [ADD] sort buttons in grid mode by @​filipRatajczak in #​7089
• update quic-go to v0.53.0 by @​marten-seemann in #​7094
• refactor: replace HasPrefix+TrimPrefix with CutPrefix by @​gopherorg in #​7095
• docs: fix some minor issues in the comments by @​mountdisk in #​7101
• httpcaddyfile: Validates TLS DNS challenge options by @​francislavoie in #​7099
• chore: fix struct name in comment by @​bytetigers in #​7114
• reverse proxy: validate versions in http transport by @​WeidiDeng in #​7112
• chore: fix function in comment by @​bytesingsong in #​7121
• Fix: Support placeholders in header replacement search patterns by @​zongzewu23 in #​7117
• fileserver: specify license for embedded JavaScript by @​infertux in #​7127
• fix dead link by @​eeemmmmmm in #​7136
• update quic-go to v0.54.0 by @​marten-seemann in #​7138
• chore: fix minor issue in comment by @​pingshuijie in #​7140
• refactor: use slices.Equal to simplify code by @​minxinyi in #​7141
• ci: reduce dependabot spam by @​mohammed90 in #​7078
• fix(provisioning): Context.App or Context.AppIfConfigured will return (val, nil) even if the app failed to provision or validate the first time by @​alexandre-daubois in #​7070
• build(deps): bump the actions-deps group with 6 updates by @​dependabot[bot] in #​7142
• Use KeepAliveConfig to pass keepalive_interval to listener's accepted sockets by @​joshuamcbeth in #​7151
• build(deps): bump the all-updates group across 1 directory with 17 updates by @​dependabot[bot] in #​7155
• cmd: Allow caddy adapt to read from stdin by @​bosdhill in #​7163
• feat: add bcrypt cost parameter to hash-password by @​GreyXor in #​7149
• fix typo in bcrypt cost flag name by @​GreyXor in #​7168
• chore: fix inconsistent function name in comment by @​youzichuan in #​7174
• caddytls: fix regression in external certificate manager support by @​quagsirus in #​7179
• http: free up quic listener when stopping by @​WeidiDeng in #​7177
• chore: bump Go to v1.25 by @​dunglas in #​7184
• caddyhttp: refactor to use reflect.TypeFor by @​cuiweixie in #​7187
• refactor: use a more modern writing style to simplify code by @​joemicky in #​7182
• http: disable keepalive when KeepAliveInterval is negative by @​WeidiDeng in #​7158
• http: clean up listeners if some of the listeners fail to bind by @​WeidiDeng in #​7176
• reverse_proxy: use the new KeepAliveConfig to set probe interval by @​WeidiDeng in #​7157
• ci: set proper build tags in golangci and minor cleanup by @​dunglas in #​7183
• doc: Add a few lines about Etag file content by @​Pizmovc in #​7173
• file_server: set Range header for precompressed static files to force Content Length header to appear by @​WeidiDeng in #​7042
• caddyhttp: use the new http.Protocols to handle h1, h2 and h2c requests by @​WeidiDeng in #​6961

Changelog

• 44d078b acme_server: fix policy parsing in caddyfile (#​7006)
• 320c572 admin: Make sure that any admin routers are provisioned when local/re… (#​6997)
• 49dac61 bcrypt: add cost parameter to hash-password (#​7149)
• 4bfc3b9 bcrypt: wrong cost flag name (#​7168)
• 4b01d77 build(deps): bump github.com/cloudflare/circl from 1.6.0 to 1.6.1 (#​7058)
• 45c9341 build(deps): bump golangci/golangci-lint-action from 6 to 8 (#​7044)
• 5bc2afb build(deps): bump the actions-deps group with 6 updates (#​7142)
• 007f406 build(deps): bump the all-updates group across 1 directory with 17 updates (#​7155)
• 8524386 caddyhttp: Compare paths w/o wildcard if prefixes differ (#​7015)
• 7590c9c caddyhttp: Free up quic listener when stopping (#​7177)
• b15ed9b caddyhttp: refactor to use reflect.TypeFor (#​7187)
• 14a63a2 caddyhttp: use the new http.Protocols to handle h1, h2 and h2c requests (#​6961)
• 731e6c2 caddytls: Improve ECH error logging (close #​7152)
• 105eee6 caddytls: Set local_ip, not remote_ip (#​6952)
• b898873 caddytls: fix regression in external certificate manager support (#​7179)
• 1481c04 caddytls: wire up client_auth leaf verifier Caddyfile (#​6772)
• 19ff47a cmd: Allow caddy adapt to read from stdin (#​7163)
• e633d01 cmd: fix Commands function not returning all registered commands (#​7059)
• 7099892 core: Check for nil event origin (#​7047)
• 3d0b4fa core: Clean up new config if it failed to run (#​7068)
• 051e73a core: Replace admin server later in provisionContext (#​7004)
• fe41ff3 core: Save app provisioning errors with context (#​7070)
• e4447c4 core: Use KeepAliveConfig to pass keepalive_interval to listener's accepted sockets (#​7151)
• b9710c6 fileserver: Add a few doc lines about Etag file content (#​7173)
• 3b4d966 fileserver: Add sort buttons in grid mode (#​7089)
• 54d03ce fileserver: Add support for .avif image format (#​6988)
• 790f3e0 fileserver: denote license for embedded JavaScript for LibreJS (#​7127)
• 94147ca fileserver: map invalid path errors to fs.ErrInvalid, and return 400 for any invalid path errors. (close #​7008) (#​7017)
• 67debd0 fileserver: set Range header for precompressed static files to force Content Length header to appear (#​7042)
• 89ed5f4 fix: Remove nil arg from zapslog.NewHandler call (#​6984)
• 3723e89 go.mod: Upgrade CertMagic to v0.24.0
• 3bd4135 go.mod: Upgrade dependencies
• a6d488a go.mod: update quic-go to v0.51.0 (#​6972)
• 11c6dae go.mod: update quic-go to v0.53.0 (#​7094)
• bbf1dfc headers: Support placeholders in replacement search patterns (#​7117)
• f11c780 http: clean up listeners if some of the listeners fail to bind (#​7176)
• fdf6108 http: disable keepalive when KeepAliveInterval is negative (#​7158)
• 5b727bd httpcaddyfile: Allow naked acme_dns if dns is set (fix #​7091)
• 0badb07 httpcaddyfile: Fix generated config related to ACME global options
• 092913a httpcaddyfile: Prevent error handler from overriding sub-handler matchers (#​6999)
• 77dd12c httpcaddyfile: Validates TLS DNS challenge options (#​7099)
• 0f209f6 httpcaddyfile: reject blocks in log_skip directive (#​7056)
• 716d72e intercept: implement Unwrap for interceptedResponseHandler (#​7016)
• 9f71483 log: default logger should respect {in,ex}clude (#​6995)
• 33c88bd refactor: replace HasPrefix+TrimPrefix with CutPrefix (#​7095)
• ab3b2d6 refactor: use slices.Equal to simplify code (#​7141)
• 1c596e3 reverse_proxy: use the new KeepAliveConfig to set probe interval (#​7157)
• aa3d20b reverseproxy: Use DialTLSContext if ServerName has placeholder (#​6955)
• 737936c reverseproxy: reference correct field name in LoadModule (#​6978)
• 1209b5c reverseproxy: validate versions in http transport (#​7112)

New Contributors

• @​IndraGunawan made their first contribution in #​6984
• @​Compy made their first contribution in #​6997
• @​eveneast made their first contribution in #​7009
• @​tongjicoder made their first contribution in #​7039
• @​suxatcode made their first contribution in #​7047
• @​Hellio404 made their first contribution in #​6999
• @​IwatsukaYura made their first contribution in #​7056
• @​xiaoxiangirl made their first contribution in #​7081
• @​filipRatajczak made their first contribution in #​7089
• @​gopherorg made their first contribution in #​7095
• @​mountdisk made their first contribution in #​7101
• @​bytetigers made their first contribution in #​7114
• @​bytesingsong made their first contribution in #​7121
• @​zongzewu23 made their first contribution in #​7117
• @​infertux made their first contribution in #​7127
• @​eeemmmmmm made their first contribution in #​7136
• @​pingshuijie made their first contribution in #​7140
• @​minxinyi made their first contribution in #​7141
• @​alexandre-daubois made their first contribution in #​7070
• @​joshuamcbeth made their first contribution in #​7151
• @​bosdhill made their first contribution in #​7163
• @​GreyXor made their first contribution in #​7149
• @​youzichuan made their first contribution in #​7174
• @​quagsirus made their first contribution in #​7179
• @​cuiweixie made their first contribution in #​7187
• @​joemicky made their first contribution in #​7182
• @​Pizmovc made their first contribution in #​7173

Full Changelog: caddyserver/caddy@v2.10.0...v2.10.1

v2.10.0

Compare Source

Caddy 2.10 is here! Aside from bug fixes, this release features:

• Encrypted ClientHello (ECH): This new technology encrypts the last plaintext portion of a TLS connection: the ClientHello, which includes the domain name being connected to. The draft spec for ECH is almost finalized, so we can now support this privacy feature for TLS. This is a powerful but nuanced capability; we highly recommend reading the ECH documentation on our website.
• Post-quantum (PQC) key exchange: Caddy now supports the standardized x25519mlkem768 cryptographic group by default.
• ACME profiles: ACME profiles are an experimental draft that allow you to choose properties of your certificates with more flexibility than traditional CSR methods. For example, Let's Encrypt will issue 6-day certificates under a certain profile. Caddy may eventually use that profile by default.
• Via header: The reverse proxy now sets a Via header instead of a duplicate Server header.
• Global DNS provider: You can now specify a default "global" DNS module to use instead of having to configure it locally in every part of your config that requires a DNS provider (for example, ACME DNS challenges, and ECH). This is the dns global option in the Caddyfile, or in JSON config, it's the dns parameter in the tls app configuration.
• Wildcards used by default: Previously, Caddy would obtain individual certificates for every domain in your config literally; now wildcards, if present, will be utilized for subdomains, rather than obtaining individual certificates. This change was motivated by the novel possibility for subdomain privacy afforded by ECH. It can be overridden with tls force_automate in the Caddyfile. The experimental auto_https prefer_wildcard option has been removed.
• libdns 1.0 APIs: Many of you use DNS provider modules to solve ACME DNS challenges or to enable dynamic DNS. They implement interfaces defined by libdns to get, set, append, and delete DNS records. After 5 years of production experience, including lessons learned with ECH, libdns APIs have been updated and 1.0 beta has been tagged. DNS provider packages will need to update their code to be compatible, which will help ensure stability and well-defined semantics for the future. Several packages have already updated or are in the process of updating (cloudflare, rfc2136, and desec to name a few).
• Global dns config: Now that several components of Caddy configuration may affect DNS records (ACME challenges, ECH publication, etc.), there is a new dns global option that can be used to specify your DNS provider config in a single place. This prevents repetition of credentials for servers where all the domains are managed by a single DNS provider.

Thank you to the many contributors who have helped to make this possible! 🎉 🥳 🍾

⚠️ While have traditionally supported the last 2 minor Go versions to accommodate some distribution / package manager policies, we now only support the latest minor Go version. The privacy and security benefits added in new Go versions (such as post-quantum cryptography) are worth making available to everyone as soon as possible, rather than holding back the entire user base or maintaining multiple code compilation configurations.

Encrypted ClientHello (ECH) details

(This is a brief overview. We recommend reading the full documentation.)

Typically, server names (domain names, or "SNI") are sent in the plaintext ClientHello when establishing TLS connections. With ECH, the true server name is encrypted (and wrapped) by an "outer" ClientHello which has a generic SNI of your choosing. With many sites on the same server sharing the same outer SNI, both clients and the server have more privacy related to domain names.

Caddy implements fully automated ECH, meaning that it generates (and soon, rotates), publishes, and serves ECH configurations simply by specifying a DNS provider, and the outer/public domain name to use.

Fully automated ECH requires a DNS module built into your Caddy binary. In order for a client, such as a browser, to know it can use ECH, and what parameters to use, the server's ECH configuration must be published. This config includes the public name, cryptographic parameters, and a public key for encrypting the inner ClientHello. By convention, browsers read the standardized HTTPS-type DNS record containing a ech SvcParamKey. Caddy sets this DNS record for all domains being protected, but it needs that DNS provider module plugged in and configured in order to do this. If you are already using the DNS ACME challenge, you should already have a DNS provider plugged in. If you prefer to build Caddy from source with a DNS module, it's easy with xcaddy, for example: $ xcaddy build --with github.com/caddy-dns/cloudflare

The minimum config needed to enable ClientHello is also the recommended config, as it maximizes privacy benefits in most situations. You just need the ech global option and a DNS provider specified. Here's an example using Cloudflare as the nameserver:

Caddyfile:

{
	debug  # not required; recommended while testing
	dns cloudflare {env.CLOUDFLARE_API_KEY}
	ech ech.example.net
}

example.com {
	respond "Hello there!"
}

This protects all your sites (example.com in this case) behind the public name of ech.example.net. (As another example, Cloudflare uses cloudflare-ech.com for all the sites it serves. We recommend choosing a single public domain and use it to protect all your sites.)

The outer/public name you choose should point to your server. Caddy will obtain a certificate for this name in order to facilitate safe, reliable connections for clients when needed. Without a certificate, clients may be forced to connect insecurely, or fail to connect at all, in some cases, which not only leaves them vulnerable, but also risks exposing the names of your server's sites.

Caddy then uses the specified DNS provider to publish the ECH config(s) for your various site names. It creates (or augments) HTTPS-type records for the domains of your sites (not your ECH public name). Note that DNS provider modules are independently-maintained, and may not have been tested for compatibility with HTTPS-type records. Please contact your module's maintainers if you experience issues.

If you have more advanced configuration needs, you can use the JSON configuration (more details coming soon; for now, see #​6862 or look at the source code; or use caddy adapt to convert a Caddyfile to JSON).

Testing and verifying Encrypted ClientHello

First make sure Caddy runs successfully with ECH enabled (and a DNS module) in the config. You should see logs that it is generating an ECH config and publishing it to your domain name(s).

You will need to use a client that supports ECH. Some custom builds of curl do, and Firefox and modern Chrome-based browsers do as well, but you need to enable DNS-over-HTTPS or DNS-over-TLS first (since, obviously, querying DNS in plaintext for a protected domain name will expose the domain and defeat the purpose of ECH).

If reusing an existing domain name, clear your DNS cache. Firefox has a way of doing this for its cache at about:networking#dns.

Once you have a suitable client, use Wireshark to capture network packets as you load your site. You should see only the outer/public name as SNI (ServerName Indicator) values in the packet capture. If at any time you see the true site name, ECH is not working properly -- it could be a client or server issue. Before filing a bug, please try to pinpoint it as a server issue first. But definitely report server bugs! Thank you!

(Note that ECH is not automatically published for CNAME'd domains, and the domain must already have a record in the zone.)

Commits

Beta 1:

• 96c5c55 admin: fix index validation for PUT requests (#​6824)
• 3644ee3 build(deps): bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 (#​6876)
• eacd772 build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 (#​6871)
• 9996d6a build(deps): bump github.com/golang/glog from 1.2.2 to 1.2.4 (#​6814)
• 1115158 caddyhttp: ResponseRecorder sets stream regardless of 1xx
• 8861eae caddytest: Support configuration defaults override (#​6850)
• d7764df caddytls: Encrypted ClientHello (ECH) (#​6862)
• a807fe0 caddytls: Enhance ECH documentation
• bc3d497 caddytls: Fix broken refactor
• 7b8f350 caddytls: Fix sni_regexp matcher to obtain layer4 contexts (#​6804)
• 2c4295e caddytls: Initial support for ACME profiles
• d7872c3 caddytls: Refactor sni matcher (#​6812)
• 172136a caddytls: Support post-quantum key exchange mechanism X25519MLKEM768
• 066d770 cmd: automatically set GOMEMLIMIT (#​6809)
• 1f35a8a fastcgi: improve parsePHPFastCGI docs (#​6779)
• 22563a7 file_server: use the UTC timezone for modified time (#​6830)
• cfc3af6 fix: update broken link to Ardan Labs (#​6800)
• 99073ea go.mod: Upgrade CertMagic to v0.21.7
• 1641e76 go.mod: Upgrade dependencies
• 0d7c639 go.mod: remove glog dependency (#​6838)
• 932dac1 logging: Always set fields func; fix #​6829
• 9e0e5a4 logging: Fix crash if logging error is not HandlerError (#​6777)
• 904a0fa reverse_proxy: re-add healthy upstreams metric (#​6806)
• e7da3b2 reverseproxy: Via header (#​6275)
• 9283770 reverseproxy: ignore duplicate collector registration error (#​6820)

Beta 2:

• f4432a3 caddyfile: add error handling for unrecognized subdirective/options in various modules (#​6884)
• 84364ff caddypki: Remove lifetime check at Caddyfile parse (fix #​6878)
• adbe7f8 caddytls: Only make DNS solver if not already set (fix #​6880)
• d57ab21 caddytls: Pointer receiver (fix #​6885)
• 4ebcfed caddytls: Reorder provisioning steps (fix #​6877)
• a686f7c cmd: Only set memory/CPU limits on run (fix #​6879)
• 1987620 cmd: Promote undo maxProcs func to caller
• 220cd1c reverseproxy: more comments about buffering and add new tests (#​6778)

Beta 3:

• b3e692e caddyfile: Fix formatting for backquote wrapped braces (#​6903)
• 55c89cc caddytls: Convert AP subjects to punycode
• 1f8dab5 caddytls: Don't publish ECH configs if other records don't exist
• 782a3c7 caddytls: Don't publish HTTPS record for CNAME'd domain (fix #​6922)
• 49f9af9 caddytls: Fix TrustedCACerts backwards compatibility (#​6889)
• e276994 caddytls: Initialize permission module earlier (fix #​6901)
• 39262f8 caddytls: Minor fixes for ECH
• 1735730 core: add modular network_proxy support (#​6399)
• 86c620f go.mod: Minor dependency upgrades
• af2d33a headers: Allow nil HeaderOps (fix #​6893)
• dccf3d8 requestbody: Add set option to replace request body (#​5795)
• 2ac09fd requestbody: Fix ContentLength calculation after body replacement (#​6896)

v2.10.0:

• f297bc0 admin: Remove host checking for UDS (close #​6832)
• 0b2802f build(deps): bump golang.org/x/net from 0.37.0 to 0.38.0 (#​6960)
• 5be77d0 caddyauth: Set authentication provider error in placeholder (#​6932)
• b06a949 caddyhttp: Document side effect of HTTP/3 early data (close #​6936)
• 35c8c2d caddytls: Add remote_ip to HTTP cert manager (close #​6952)
• fb22a26 caddytls: Allow missing ECH meta file
• 1bfa111 caddytls: Prefer managed wildcard certs over individual subdomain certs (#​6959)
• ea77a9a caddytls: Temporarily treat "" and "@​" as equivalent for DNS publication
• 5a6b2f8 events: Refactor; move Event into core, so core can emit events (#​6930)
• 137711a go.mod: Upgrade acmez and certmagic
• 9becf61 go.mod: Upgrade to libdns 1.0 beta APIs (requires upgraded DNS providers)
• 6c38ae7 reverseproxy: Add valid Upstream to DialInfo in active health checks (#​6949)

What's Changed

• docs: improve parsePHPFastCGI docs by @​dunglas in #​6779
• Fixes crash if logging error is not HandlerError by @​kkroo in #​6777
• chore: update quic-go to v0.49.0 by @​marten-seemann in #​6803
• chore: don't use deprecated archives.format_overrides.format by @​mohammed90 in #​6807
• caddytls: Fix sni_regexp matcher to obtain layer4 contexts by @​vnxme in #​6804
• feat: automatically set GOMEMLIMIT by @​dunglas in #​6809
• caddytls: Refactor sni matcher by @​vnxme in #​6812
• reverse_proxy: re-add healthy upstreams metric by @​mohammed90 in #​6806
• fix: update broken link to Ardan Labs by @​sbruens in #​6800
• build(deps): bump github.com/golang/glog from 1.2.2 to 1.2.4 by @​dependabot in #​6814
• reverseproxy: ignore duplicate collector registration error by @​mohammed90 in #​6820
• fix: fix index validation for PUT requests by @​debug-ing in #​6824
• file_server: use the UTC timezone for modified time by @​WeidiDeng in #​6830
• feat/tests: tests for error handling & metrics in admin endpoints by @​gdhameeja in #​6805
• chore: upgrade Go version to 1.24 by @​mohammed90 in #​6839
• remove glog dependency by @​Ns2Kracy in #​6838
• update quic-go to v0.50.0 by @​marten-seemann in #​6854
• Support Caddy Test Configuration Defaults Override. by @​baruchyahalom in #​6850
• chore: upgrade cobra by @​mohammed90 in #​6868
• build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.3 to 3.0.4 by @​dependabot in #​6871
• caddytls: Encrypted ClientHello (ECH) by @​mholt in #​6862
• build(deps): bump github.com/cloudflare/circl from 1.3.3 to 1.3.7 by @​dependabot in #​6876
• docs: replaced the name and twitter link by @​sashaphmn in #​6874

---

Configuration

📅 Schedule: Branch creation - "before 8am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

To execute skipped test pipelines write comment /ok-to-test.

---

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

[red-hat-konflux]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 47 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.0 -> 1.25
cel.dev/expr	v0.19.1 -> v0.24.0
github.com/BurntSushi/toml	v1.4.0 -> v1.5.0
github.com/alecthomas/chroma/v2	v2.15.0 -> v2.20.0
github.com/caddyserver/certmagic	v0.22.0 -> v0.24.0
github.com/cloudflare/circl	v1.6.0 -> v1.6.1
github.com/cpuguy83/go-md2man/v2	v2.0.6 -> v2.0.7
github.com/dlclark/regexp2	v1.11.4 -> v1.11.5
github.com/fxamacker/cbor/v2	v2.6.0 -> v2.8.0
github.com/go-chi/chi/v5	v5.2.1 -> v5.2.2
github.com/go-sql-driver/mysql	v1.7.1 -> v1.8.1
github.com/google/cel-go	v0.24.1 -> v0.26.0
github.com/google/go-tpm	v0.9.0 -> v0.9.5
github.com/grpc-ecosystem/grpc-gateway/v2	v2.22.0 -> v2.27.1
github.com/huandu/xstrings	v1.5.0 -> v1.5.0
github.com/klauspost/cpuid/v2	v2.2.10 -> v2.3.0
github.com/libdns/libdns	v0.2.3 -> v1.1.0
github.com/mholt/acmez/v3	v3.1.0 -> v3.1.2
github.com/pires/go-proxyproto	v0.7.1-0.20240628150027-b718e7ce4964 -> v0.8.1
github.com/prometheus/client_golang	v1.21.1 -> v1.23.0
github.com/prometheus/client_model	v0.6.1 -> v0.6.2
github.com/prometheus/common	v0.63.0 -> v0.65.0
github.com/prometheus/procfs	v0.15.1 -> v0.16.1
github.com/quic-go/quic-go	v0.50.0 -> v0.54.0
github.com/rs/xid	v1.5.0 -> v1.6.0
github.com/slackhq/nebula	v1.6.1 -> v1.9.5
github.com/smallstep/certificates	v0.26.1 -> v0.28.4
github.com/smallstep/go-attestation	v0.4.4-0.20240109183208-413678f90935 -> v0.4.4-0.20241119153605-2306d5b464ca
github.com/spf13/pflag	v1.0.6 -> v1.0.7
github.com/urfave/cli	v1.22.14 -> v1.22.17
github.com/yuin/goldmark	v1.7.8 -> v1.7.13
go.etcd.io/bbolt	v1.3.9 -> v1.3.10
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.56.0 -> v0.61.0
go.opentelemetry.io/contrib/propagators/autoprop	v0.42.0 -> v0.62.0
go.opentelemetry.io/contrib/propagators/aws	v1.17.0 -> v1.37.0
go.opentelemetry.io/contrib/propagators/b3	v1.17.0 -> v1.37.0
go.opentelemetry.io/contrib/propagators/jaeger	v1.17.0 -> v1.37.0
go.opentelemetry.io/contrib/propagators/ot	v1.17.0 -> v1.37.0
go.opentelemetry.io/otel	v1.34.0 -> v1.37.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.31.0 -> v1.37.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc	v1.31.0 -> v1.37.0
go.opentelemetry.io/otel/metric	v1.34.0 -> v1.37.0
go.opentelemetry.io/otel/sdk	v1.34.0 -> v1.37.0
go.opentelemetry.io/otel/trace	v1.34.0 -> v1.37.0
go.opentelemetry.io/proto/otlp	v1.3.1 -> v1.7.0
go.uber.org/mock	v0.5.0 -> v0.5.2
golang.org/x/time	v0.11.0 -> v0.12.0
google.golang.org/grpc	v1.71.0 -> v1.73.0