Skip to content

Update dependency caddyserver/caddy to v2.11.4#276

Merged
jupblb merged 1 commit into
mainfrom
renovate/caddyserver-caddy-2.x
Jul 2, 2026
Merged

Update dependency caddyserver/caddy to v2.11.4#276
jupblb merged 1 commit into
mainfrom
renovate/caddyserver-caddy-2.x

Conversation

@renovate

@renovate renovate Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
caddyserver/caddy minor v2.9.1v2.11.4

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


Release Notes

caddyserver/caddy (caddyserver/caddy)

v2.11.4

Compare Source

This release patches more security, security-adjacent, and normal bugs. The FrankenPHP project has collaborated on PHP-adjacent patches, which we are grateful for.

The recent surge of patches is mostly attributed to token predictors. We have had to reject more than 75% of "security" reports because they were AI slop spam (or just lazy/incorrect). Please use LLMs and agents wisely to avoid wasting precious maintainer resources. We have started blocking offending accounts that spam slop reports. Thank you to all who submit responsible reports following our security policy to make the project better. We appreciate that the community deems the Caddy project worthy of contribution to improve the broader ecosystem!

Security-related patches:

  • caddyhttp: Normalize Windows backslashes in path matcher (thanks @​Vincent550102)
  • rewrite: Prevent placeholder re-expansion in injected query (thanks @​WhiskerEnt)
  • templates: Improved stripHTML action to more reliably remove malformed HTML (thanks to @​jmrcsnchz)
  • caddyhttp: Ignore header fields with underscores to prevent collisions (thanks @​Vincent550102 for the report and @​dunglas for the patch)

⚠️ These security patches may be breaking if your application relies on the buggy behaviors.

There are also several other various fixes and enhancements by many other contributors. Thank you everyone who participated!

What's Changed

New Contributors

Full Changelog: caddyserver/caddy@v2.11.3...v2.11.4

v2.11.3

Compare Source

This release improves several aspects of Caddy with minor features, bug fixes, and security patches. Thank you to everyone and their bots who contributed to help make this release the best one yet!

Security patches:

We've also merged a couple PRs that fix upstream security bugs in other projects like quic-go and CertMagic. Thank you to @​marten-seemann for maintaining quic-go so diligently!

What's Changed

New Contributors

Full Changelog: caddyserver/caddy@v2.11.2...v2.11.3

v2.11.2

Compare Source

Caddy 2.11.2 contains numerous bug fixes and enhancements! I know that's a lame summary but it's really all over the place.

Highlights

  • Reverse proxy got a lot of love with certain edge cases related to PROXY protocol, health check port, and closing body on retries. Dynamic upstreams are now tracked which enables passive health checking.
  • Performance improvements for metrics.
  • New tls_resolvers global option to control DNS resolvers for all sites when using the ACME DNS challenge.
  • Log rolling now supports zstd compression; deprecated roll_gzip, which will be removed in the future. Use roll_compression instead.
  • Refined logging and some error messages.
  • Fixed a bug in rewrite handler that could cause some URIs to not be rewritten when URI path is an escaped form of target path. Thanks to @​MaherAzzouzi for the report.

Security fixes

This release fixes two CVEs.

  • @​NucleiAv reported a bug in the forward_auth directive that could permit identity injection and potential privilege escalation.
  • @​sammiee5311 reported that vars_regexp double-expanded placeholders, allowing some unusual configs to reveal secrets.

In addition:

  • Built on Go 1.26.1 (also released today) which patches several CVEs.
  • Our documentation has been updated to note that file system case sensitivity may affect the behavior of the hide option of the file_server handler.

Thank you to everyone who contributed, and for our ongoing sponsorships that make this development possible!

Changelog

  • 88616e8 api: Add all in-flight requests /reverse_proxy/upstreams (Fixes #​7277) (#​7517)
  • d935a69 autohttps: Ensure CertMagic config is recreated after autohttps runs (#​7510)
  • 5d20adc build(deps): bump github.com/smallstep/certificates (#​7535)
  • 9371ee6 build(deps): bump the actions-deps group across 1 directory with 12 updates (#​7536)
  • 9798f69 caddyhttp: Avoid nil pointer dereference in proxyWrapper (#​7521)
  • dc36082 caddyhttp: Collect metrics once per route instead of per handler (#​7492)
  • 174fa2d caddyhttp: Evaluate tls.client placeholders more accurately (fix #​7530) (#​7534)
  • eac02ee caddyhttp: Limit empty Host check to HTTP/1.1
  • f283062 cmd: Custom binary names through CustomBinaryName and CustomLongDescription (#​7513)
  • cd9e166 cmd: Pass configFile, not configFlag, for reload command (#​7532)
  • 7b34e31 core: Check whether @​id is unique (#​7002)
  • 566e710 fileserver: document hide case-sensitivity (F-CADDY-FILESERVER-HIDE-CASE-001) (#​7548)
  • 2dd3852 fix(caddyfile): Prevent parser to panic when no token were added by empty {block} (#​7543)
  • 2dbcdef forward_auth: copy_headers does not strip client-supplied identity headers (Fixes GHSA-7r4p-vjf4-gxv4) (#​7545)
  • ce203aa go.mod: Upgrade x/net
  • 76b198f http: Sort auto-HTTPS redirect routes by host specificity (fixes #​7390) (#​7502)
  • 7ffb640 httpcaddyfile: Fix missing TLS connection policies when auto_https is default (#​7325) (#​7507)
  • 45cf61b logging: Ensure slog error level logs don't print stack traces (#​7512)
  • 9873752 logging: Support zstd roll compression (#​7515)
  • 294dfff logging: add DirMode options and propagate FileMode to rotations (#​7335)
  • a6acb39 proxyproto: Generated test coverage (#​7540)
  • 11b56c6 reverseproxy: Fix health_port being ignored in health checks (#​7533)
  • db29860 reverseproxy: Track dynamic upstreams, enable passive healthchecking (#​7539)
  • d7b21c6 reverseproxy: fix tls dialing w/ proxy protocol (#​7508)
  • a5e7c6e reverseproxy: prevent body close on dial-error retries (#​7547)
  • 2ab043b reverseproxy: query escape request urls when proxy protocol is enabled (#​7537)
  • fbfb8fc rewrite: Force recomputing path when escaped path matches rewrite target
  • f145bce tls: Add tls_resolvers global option for DNS challenge configuration (#​7297)

v2.11.1

Compare Source

Our community is pleased to announce Caddy 2.11! Of note are new features, numerous bug fixes including several security patches, and various QoL ("quality-of-life") enhancements.

There are no code changes from v2.11.0 other than to a CI job. Due to a recent external change that broke our release process, the first release of 2.11 is v2.11.1.

Special Sponsor Shoutout

Extra big thanks to our major sponsors:

They, along with dozens of smaller sponsors, make this project and new releases possible, together with our maintainer team. Thank you all!

Notable changes

  • Encrypted ClientHello (ECH) keys are rotated automatically.
  • Time-rolling options for logs.
  • SIGUSR1 can now reload configuration if it was initially loaded from a file on the command line and did not get changed via the API.
  • Reverse proxy now automatically rewrites the Host header to the address of the upstream when the upstream is HTTPS (#​7454)
  • log_append can now log request and response bodies, useful for debugging.
  • Our project now implements and requires Assistance Disclosures (for AI/LLMs) on issues, PRs, comments, replies, reviews, etc.
  • Many, many other minor improvements and bug fixes.

Thank you to everyone who was involved this release!

⚠️ Security patches
  • fastcgi: CVE-2026-27590 by @​dunglas and @​AbdrrahimDahmani - Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport.
  • admin: CVE-2026-27589 by @​1seal - Cross-origin requests attempted with no-cors mode could cause some API requests to succeed; such requests are now blocked. (In order for this to be practically exploitable, a web browser executing a malicious web page must be running locally to a production Caddy process.)
  • caddyhttp: CVE-2026-27588 by Asim Viladi Oglu Manizada - The Host matcher becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass.
  • caddyhttp: CVE-2026-27587 by Asim Viladi Oglu Manizada - The Path matcher skips case normalization for escape sequences, enabling path-based route/auth bypass.
  • caddytls: CVE-2026-27586 by @​moscowchill - TLS client authentication silently fails open when CA certificate file is missing or malformed.
  • caddyhttp: CVE-2026-27585 by @​parrot409 - Improper sanitization of glob characters in file matcher may lead to bypassing security protections.

🚨 Notice for Caddy plugin maintainers: Dependabot will probably alert you to the security fixes in Caddy and urge you to upgrade it in your go.mod file. Please ONLY upgrade the Caddy dependency if there's a change to an exported API your plugin uses. (Then, turn Dependabot off.)

What's Changed

New Contributors

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • On day 1 of the month, every 3 months (* * 1 */3 *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@jupblb jupblb merged commit 9b23e65 into main Jul 2, 2026
14 checks passed
@jupblb jupblb deleted the renovate/caddyserver-caddy-2.x branch July 2, 2026 08:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant