Skip to content

fix(deps): update caddyserver/caddy v2.11.1 → v2.11.2#1608

Open
truecharts-admin wants to merge 1 commit intomainfrom
renovate/caddyserver-caddy-2.11.x
Open

fix(deps): update caddyserver/caddy v2.11.1 → v2.11.2#1608
truecharts-admin wants to merge 1 commit intomainfrom
renovate/caddyserver-caddy-2.11.x

Conversation

@truecharts-admin
Copy link
Contributor

@truecharts-admin truecharts-admin commented Mar 6, 2026

This PR contains the following updates:

Package Update Change
caddyserver/caddy patch 2.11.12.11.2

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

caddyserver/caddy (caddyserver/caddy)

v2.11.2

Compare Source

Caddy 2.11.2 contains numerous bug fixes and enhancements! I know that's a lame summary but it's really all over the place.

Highlights

  • Reverse proxy got a lot of love with certain edge cases related to PROXY protocol, health check port, and closing body on retries. Dynamic upstreams are now tracked which enables passive health checking.
  • Performance improvements for metrics.
  • New tls_resolvers global option to control DNS resolvers for all sites when using the ACME DNS challenge.
  • Log rolling now supports zstd compression; deprecated roll_gzip, which will be removed in the future. Use roll_compression instead.
  • Refined logging and some error messages.
  • Fixed a bug in rewrite handler that could cause some URIs to not be rewritten when URI path is an escaped form of target path. Thanks to @​MaherAzzouzi for the report.

Security fixes

This release fixes two CVEs.

  • @​NucleiAv reported a bug in the forward_auth directive that could permit identity injection and potential privilege escalation.
  • @​sammiee5311 reported that vars_regexp double-expanded placeholders, allowing some unusual configs to reveal secrets.

In addition:

  • Built on Go 1.26.1 (also released today) which patches several CVEs.
  • Our documentation has been updated to note that file system case sensitivity may affect the behavior of the hide option of the file_server handler.

Thank you to everyone who contributed, and for our ongoing sponsorships that make this development possible!

Changelog

  • 88616e8 api: Add all in-flight requests /reverse_proxy/upstreams (Fixes #​7277) (#​7517)
  • d935a69 autohttps: Ensure CertMagic config is recreated after autohttps runs (#​7510)
  • 5d20adc build(deps): bump github.com/smallstep/certificates (#​7535)
  • 9371ee6 build(deps): bump the actions-deps group across 1 directory with 12 updates (#​7536)
  • 9798f69 caddyhttp: Avoid nil pointer dereference in proxyWrapper (#​7521)
  • dc36082 caddyhttp: Collect metrics once per route instead of per handler (#​7492)
  • 174fa2d caddyhttp: Evaluate tls.client placeholders more accurately (fix #​7530) (#​7534)
  • eac02ee caddyhttp: Limit empty Host check to HTTP/1.1
  • f283062 cmd: Custom binary names through CustomBinaryName and CustomLongDescription (#​7513)
  • cd9e166 cmd: Pass configFile, not configFlag, for reload command (#​7532)
  • 7b34e31 core: Check whether @​id is unique (#​7002)
  • 566e710 fileserver: document hide case-sensitivity (F-CADDY-FILESERVER-HIDE-CASE-001) (#​7548)
  • 2dd3852 fix(caddyfile): Prevent parser to panic when no token were added by empty {block} (#​7543)
  • 2dbcdef forward_auth: copy_headers does not strip client-supplied identity headers (Fixes GHSA-7r4p-vjf4-gxv4) (#​7545)
  • ce203aa go.mod: Upgrade x/net
  • 76b198f http: Sort auto-HTTPS redirect routes by host specificity (fixes #​7390) (#​7502)
  • 7ffb640 httpcaddyfile: Fix missing TLS connection policies when auto_https is default (#​7325) (#​7507)
  • 45cf61b logging: Ensure slog error level logs don't print stack traces (#​7512)
  • 9873752 logging: Support zstd roll compression (#​7515)
  • 294dfff logging: add DirMode options and propagate FileMode to rotations (#​7335)
  • a6acb39 proxyproto: Generated test coverage (#​7540)
  • 11b56c6 reverseproxy: Fix health_port being ignored in health checks (#​7533)
  • db29860 reverseproxy: Track dynamic upstreams, enable passive healthchecking (#​7539)
  • d7b21c6 reverseproxy: fix tls dialing w/ proxy protocol (#​7508)
  • a5e7c6e reverseproxy: prevent body close on dial-error retries (#​7547)
  • 2ab043b reverseproxy: query escape request urls when proxy protocol is enabled (#​7537)
  • fbfb8fc rewrite: Force recomputing path when escaped path matches rewrite target
  • f145bce tls: Add tls_resolvers global option for DNS challenge configuration (#​7297)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@truecharts-admin truecharts-admin enabled auto-merge (squash) March 6, 2026 03:44
Crow-Control
Crow-Control approved these changes Mar 6, 2026
View reviewed changes
Copy link
Member

@Crow-Control Crow-Control left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto approved automated PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Crow-Control Crow-Control Crow-Control approved these changes

@alfi0812 alfi0812 Awaiting requested review from alfi0812 alfi0812 is a code owner

Assignees

No one assigned

Labels

app/caddy area/apps type/patch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@truecharts-admin @Crow-Control