deps: bump the all-go-deps group across 2 directories with 4 updates

[dependabot]

Bumps the all-go-deps group with 1 update in the / directory: golang.org/x/net.
Bumps the all-go-deps group with 3 updates in the /test/perfmatrix directory: golang.org/x/net, github.com/go-chi/chi/v5 and github.com/gofiber/fiber/v3.

Updates golang.org/x/net from 0.54.0 to 0.55.0

Commits

• 7770ec4 go.mod: update golang.org/x dependencies
• 4ece7b6 html: escape greater-than symbol in doctype identifiers
• 08be507 html: improve Noah's Ark clause performance
• a8fb2fe html: properly render fostered elements in foreign content
• 0dc5b7a html: properly check namespace in "in body" any other end tag
• a452f3c html: ignore duplicate attributes during tokenization
• f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
• 210ed3c quic: establish a "happened-before" relationship between stream write and read
• ad8140e quic: fix buffer slicing when handling overlapping stream data
• 23ee2ef http2: avoid API changes when built with go1.27
• See full diff in compare view

Updates golang.org/x/sys from 0.44.0 to 0.45.0

Commits

• 397d5f8 unix: update to Linux kernel 7.0
• 0a387f7 cpu: detect zbc extension on riscv64
• 758f71c cpu: add LLACQ_SCREL, SCQ, DBAR_HINTS detection for loong64
• 99666ae unix: merge Linux readv/writev implementation with Darwin/OpenBSD
• e4444cb windows: add NtSetEaFile, NtQueryEaFile and NtQueryInformationFile
• 04396e8 unix: add Readv, Writev, Preadv, Pwritev for OpenBSD
• See full diff in compare view

Updates golang.org/x/net from 0.54.0 to 0.55.0

Commits

• 7770ec4 go.mod: update golang.org/x dependencies
• 4ece7b6 html: escape greater-than symbol in doctype identifiers
• 08be507 html: improve Noah's Ark clause performance
• a8fb2fe html: properly render fostered elements in foreign content
• 0dc5b7a html: properly check namespace in "in body" any other end tag
• a452f3c html: ignore duplicate attributes during tokenization
• f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
• 210ed3c quic: establish a "happened-before" relationship between stream write and read
• ad8140e quic: fix buffer slicing when handling overlapping stream data
• 23ee2ef http2: avoid API changes when built with go1.27
• See full diff in compare view

Updates golang.org/x/net from 0.54.0 to 0.55.0

Commits

• 7770ec4 go.mod: update golang.org/x dependencies
• 4ece7b6 html: escape greater-than symbol in doctype identifiers
• 08be507 html: improve Noah's Ark clause performance
• a8fb2fe html: properly render fostered elements in foreign content
• 0dc5b7a html: properly check namespace in "in body" any other end tag
• a452f3c html: ignore duplicate attributes during tokenization
• f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
• 210ed3c quic: establish a "happened-before" relationship between stream write and read
• ad8140e quic: fix buffer slicing when handling overlapping stream data
• 23ee2ef http2: avoid API changes when built with go1.27
• See full diff in compare view

Updates github.com/go-chi/chi/v5 from 5.2.5 to 5.3.0

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

• Use strings.ReplaceAll where applicable by @​JRaspass in go-chi/chi#1046
• Propagate inline middlewares across mounted subrouters by @​LukasJenicek in go-chi/chi#1049
• add go 1.26 to ci by @​pkieltyka in go-chi/chi#1052
• Remove last uses of io/ioutil by @​JRaspass in go-chi/chi#1054
• Simplify chi.walk with slices.Concat by @​JRaspass in go-chi/chi#1053
• Apply the stringscutprefix modernizer by @​JRaspass in go-chi/chi#1051
• Bump minimum Go to 1.23, always use request.Pattern by @​JRaspass in go-chi/chi#1048
• middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee by @​alliasgher in go-chi/chi#1085
• Fix typo in Route doc comment by @​gouwazi in go-chi/chi#1073
• fix: set Request.Pattern from RoutePattern() by @​leno23 in go-chi/chi#1097
• feat: middleware.ClientIP, a replacement for middleware.RealIP by @​VojtechVitek in go-chi/chi#967

New Contributors

• @​LukasJenicek made their first contribution in go-chi/chi#1049
• @​alliasgher made their first contribution in go-chi/chi#1085
• @​gouwazi made their first contribution in go-chi/chi#1073
• @​leno23 made their first contribution in go-chi/chi#1097

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

• GHSA-9g5q-2w5x-hmxf — IP spoofing via XFF in RemoteAddr resolution (convto)
• GHSA-rjr7-jggh-pgcp — RealIP allows IP spoofing via unvalidated XFF (rezmoss)
• GHSA-3fxj-6jh8-hvhx — IP spoofing in middleware.RealIP (Saku0512, Critical / 9.3)

It also addresses issues outlined at:

• go-chi/chi#708
• https://adam-p.ca/blog/2022/03/x-forwarded-for/
• go-chi/chi#711
• go-chi/chi#453
• go-chi/chi#908

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

Commits

• 3b17157 feat: middleware.ClientIP, a replacement for middleware.RealIP (#967)
• 818fdcf fix: set Request.Pattern from RoutePattern() (#1097)
• f975af0 Fix typo in Route doc comment (#1073)
• 4ef87ea middleware: fix httpFancyWriter.ReadFrom double-counting bytes with Tee (#1085)
• a54874f Bump minimum Go to 1.23, always use request.Pattern (#1048)
• 3328d4d Apply the stringscutprefix modernizer (#1051)
• be60b2e Simplify chi.walk with slices.Concat (#1053)
• a36a925 Remove last uses of io/ioutil (#1054)
• 7d93ee3 add go 1.26 to ci (#1052)
• 903cff2 Propagate inline middlewares across mounted subrouters (#1049)
• Additional commits viewable in compare view

Updates github.com/gofiber/fiber/v3 from 3.2.0 to 3.3.0

Release notes

Sourced from github.com/gofiber/fiber/v3's releases.

v3.3.0

🚀 New

• Add support for configuring the Regex engine on the router (#4254) Swap the compiler used for regex() route constraints. Assign a drop-in engine such as coregex.MustCompile for faster matching;Fiber reuses the compiled matcher across requests.

  app := fiber.New(fiber.Config{
      RegexHandler: coregex.MustCompile, // default: regexp.MustCompile
  })

  https://docs.gofiber.io/api/fiber#regexhandler
• Host auth middleware (#4199) New hostauthorization middleware that validates the incoming Host header against an allowlist (exact host, .subdomain wildcard, CIDR range) to protect against DNS rebinding attacks.

  app.Use(hostauthorization.New(hostauthorization.Config{
      AllowedHosts: []string{"api.myapp.com", ".myapp.com", "10.0.0.0/8"},
  }))

  https://docs.gofiber.io/middleware/hostauthorization
• Delegate implementation to fasthttp/prefork (#4210) Prefork now delegates to fasthttp's prefork package and adds PreforkRecoverThreshold (max child restarts before the master exits) and PreforkLogger to ListenConfig. https://docs.gofiber.io/api/fiber#preforkrecoverthreshold
• Add support for contextual logs (#4241) Render request-scoped fields in log.WithContext(c) by configuring a template with log.SetContextTemplate, reusing the middleware/logger engine (including ${value:key} for arbitrary context values).

  log.MustSetContextTemplate(log.ContextConfig{Format: log.RequestIDFormat})
  app.Get("/", func(c fiber.Ctx) error {
  log.WithContext(c).Info("start") // renders the request id
  return c.SendString("ok")
  })

  
  https://docs.gofiber.io/api/log#bind-context
• Add storage backed SharedState for prefork applications (#4243) A prefork-safe, storage-backed key/value store via app.SharedState() for data shared across workers/processes, with JSON/MsgPack/CBOR/XML helpers and automatic key namespacing. app.State() stays process-local.

  app := fiber.New(fiber.Config{
      SharedStorage: redis.New(), // any fiber.Storage shared across workers
  })
  app.SharedState().SetJSON("config", cfg, 0)

  https://docs.gofiber.io/api/state#sharedstate-prefork-safe
• Add lightweight SSE middleware (#4239) A Fiber-native middleware/sse for Server-Sent Events: SSE headers, event/comment/retry frames, per-write flushing, heartbeats, Last-Event-ID access, and disconnect detection via stream.Context().

  app.Get("/events", sse.New(sse.Config{
      Handler: func(c fiber.Ctx, stream *sse.Stream) error {
          return stream.Event(sse.Event{Name: "message", Data: fiber.Map{"message": "hello"}})
      },

... (truncated)

Commits

• a39a035 Merge pull request #4308 from gofiber/fix-mounted-routes-regex-engine-issue
• 25fd939 fix: copy RegexHandler/customConstraints to wrapper app and add positive test...
• f2ce702 🐛 bug: preserve mounted sub-app regex handler
• ee0c55a Merge pull request #4254 from gofiber/claude/add-alternative-regex-support
• 80078d8 🐛 bug: simplify regex handler docs and API surface
• 6831609 🐛 bug: fix latest regex review comments
• be5f4b8 Merge branch 'main' into claude/add-alternative-regex-support
• 2c3b23c 🐛 bug: preserve constraint compatibility for regex matchers
• f3a2ddc Merge pull request #4307 from gofiber/fix-host-authorization-trailing-dot-nor...
• c29053c Potential fix for pull request finding
• Additional commits viewable in compare view

Updates golang.org/x/net from 0.54.0 to 0.55.0

Commits

• 7770ec4 go.mod: update golang.org/x dependencies
• 4ece7b6 html: escape greater-than symbol in doctype identifiers
• 08be507 html: improve Noah's Ark clause performance
• a8fb2fe html: properly render fostered elements in foreign content
• 0dc5b7a html: properly check namespace in "in body" any other end tag
• a452f3c html: ignore duplicate attributes during tokenization
• f865199 quic: fix appendMaxDataFrame erroneously accumulating sentLimit
• 210ed3c quic: establish a "happened-before" relationship between stream write and read
• ad8140e quic: fix buffer slicing when handling overlapping stream data
• 23ee2ef http2: avoid API changes when built with go1.27
• See full diff in compare view

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.