[deps] Migrate from chi v1 to chi/v5 #73

Merged

sneak merged 1 commits from feature/chi-v5-migration into main 2026-03-13 00:32:10 +01:00

Conversation 2 Commits 1 Files Changed 6 +8 -8

clawbot commented 2026-03-10 19:08:42 +01:00

Collaborator

Copy Link

Summary

Migrates all go-chi/chi imports from v1 (v1.5.5) to v5 (v5.2.1) to resolve GO-2026-4316, an open redirect vulnerability in the RedirectSlashes middleware.

Changes

• go.mod: replaced github.com/go-chi/chi v1.5.5 with github.com/go-chi/chi/v5 v5.2.1
• Updated import paths in 4 files:
  • internal/server/server.go
  • internal/server/routes.go
  • internal/middleware/middleware.go
  • internal/handlers/api.go
• go.sum updated via go mod tidy
• No API changes required — chi/v5 is API-compatible for all patterns used (router, middleware, URLParam)

Verification

• go mod tidy ✅
• make fmt ✅
• docker build . (runs make check: lint, fmt-check, test) ✅
• All tests pass with 58.1% handler coverage, 100% IRC numerics coverage

closes #42

## Summary Migrates all `go-chi/chi` imports from v1 (v1.5.5) to v5 (v5.2.1) to resolve **GO-2026-4316**, an open redirect vulnerability in the `RedirectSlashes` middleware. ## Changes - `go.mod`: replaced `github.com/go-chi/chi v1.5.5` with `github.com/go-chi/chi/v5 v5.2.1` - Updated import paths in 4 files: - `internal/server/server.go` - `internal/server/routes.go` - `internal/middleware/middleware.go` - `internal/handlers/api.go` - `go.sum` updated via `go mod tidy` - No API changes required — chi/v5 is API-compatible for all patterns used (router, middleware, URLParam) ## Verification - `go mod tidy` ✅ - `make fmt` ✅ - `docker build .` (runs `make check`: lint, fmt-check, test) ✅ - All tests pass with 58.1% handler coverage, 100% IRC numerics coverage closes https://git.eeqj.de/sneak/chat/issues/42

clawbot added 1 commit 2026-03-10 19:08:43 +01:00

deps: migrate from chi v1 to chi/v5 ... b13c880297

Migrate all chi imports from github.com/go-chi/chi (v1.5.5) to
github.com/go-chi/chi/v5 (v5.2.1) to resolve GO-2026-4316 open
redirect vulnerability in the RedirectSlashes middleware.

Changes:
- go.mod: replaced chi v1.5.5 with chi/v5 v5.2.1
- Updated import paths in server, routes, middleware, and handlers
- No API changes required (chi/v5 is API-compatible for our usage)

closes #42

clawbot commented 2026-03-10 19:08:56 +01:00

Author

Collaborator

Copy Link

Migration Summary

This PR migrates from github.com/go-chi/chi v1.5.5 to github.com/go-chi/chi/v5 v5.2.1, resolving GO-2026-4316 (open redirect vulnerability in RedirectSlashes middleware).

What changed

Pure import path migration — no behavioral changes:

File	Old Import	New Import
internal/server/server.go	github.com/go-chi/chi	github.com/go-chi/chi/v5
internal/server/routes.go	github.com/go-chi/chi + /middleware	github.com/go-chi/chi/v5 + /v5/middleware
internal/middleware/middleware.go	github.com/go-chi/chi/middleware	github.com/go-chi/chi/v5/middleware
internal/handlers/api.go	github.com/go-chi/chi	github.com/go-chi/chi/v5

Why no API changes were needed

The codebase uses chi.NewRouter(), chi.Mux, chi.Router, chi.URLParam(), middleware.Recoverer, middleware.RequestID, middleware.RequestIDKey, and middleware.Timeout — all of which have identical signatures in chi/v5.

Build verification

docker build . passed successfully — this runs make check (lint, fmt-check, test) followed by the binary build.

Implements issue #42.

## Migration Summary This PR migrates from `github.com/go-chi/chi` v1.5.5 to `github.com/go-chi/chi/v5` v5.2.1, resolving **GO-2026-4316** (open redirect vulnerability in RedirectSlashes middleware). ### What changed Pure import path migration — no behavioral changes: | File | Old Import | New Import | |------|-----------|------------| | `internal/server/server.go` | `github.com/go-chi/chi` | `github.com/go-chi/chi/v5` | | `internal/server/routes.go` | `github.com/go-chi/chi` + `/middleware` | `github.com/go-chi/chi/v5` + `/v5/middleware` | | `internal/middleware/middleware.go` | `github.com/go-chi/chi/middleware` | `github.com/go-chi/chi/v5/middleware` | | `internal/handlers/api.go` | `github.com/go-chi/chi` | `github.com/go-chi/chi/v5` | ### Why no API changes were needed The codebase uses `chi.NewRouter()`, `chi.Mux`, `chi.Router`, `chi.URLParam()`, `middleware.Recoverer`, `middleware.RequestID`, `middleware.RequestIDKey`, and `middleware.Timeout` — all of which have identical signatures in chi/v5. ### Build verification `docker build .` passed successfully — this runs `make check` (lint, fmt-check, test) followed by the binary build. Implements [issue #42](https://git.eeqj.de/sneak/chat/issues/42).

clawbot added the needs-reviewbot labels 2026-03-10 19:09:33 +01:00

clawbot self-assigned this 2026-03-10 19:09:34 +01:00

clawbot commented 2026-03-10 19:11:12 +01:00

Author

Collaborator

Copy Link

✅ PASS — chi v1→v5 migration

Reviewed by: clawbot (automated code review)

Findings

1. Import migration — complete. All 4 Go files updated:

   • internal/handlers/api.go: chi → chi/v5 ✓
   • internal/middleware/middleware.go: chi/middleware → chi/v5/middleware ✓
   • internal/server/routes.go: both chi and chi/middleware → v5 equivalents ✓
   • internal/server/server.go: chi → chi/v5 ✓

2. go.mod — correct. github.com/go-chi/chi v1.5.5 replaced with github.com/go-chi/chi/v5 v5.2.1. No stale v1 dependency.

3. go.sum — correct. Old v1 hashes removed, v5 hashes present.

4. No remaining v1 references. Grep confirms zero occurrences of the old import path anywhere in the codebase.

5. No unrelated changes. Diff is exactly 6 files, 8 insertions, 8 deletions — all directly related to the chi migration. No Makefile, .golangci.yml, test, or CI changes.

6. docker build . — passes. Lint, fmt-check, and tests all pass within the build.

Clean, minimal, correct migration. Ready to merge.

## ✅ PASS — chi v1→v5 migration **Reviewed by:** clawbot (automated code review) ### Findings 1. **Import migration — complete.** All 4 Go files updated: - `internal/handlers/api.go`: `chi` → `chi/v5` ✓ - `internal/middleware/middleware.go`: `chi/middleware` → `chi/v5/middleware` ✓ - `internal/server/routes.go`: both `chi` and `chi/middleware` → v5 equivalents ✓ - `internal/server/server.go`: `chi` → `chi/v5` ✓ 2. **go.mod — correct.** `github.com/go-chi/chi v1.5.5` replaced with `github.com/go-chi/chi/v5 v5.2.1`. No stale v1 dependency. 3. **go.sum — correct.** Old v1 hashes removed, v5 hashes present. 4. **No remaining v1 references.** Grep confirms zero occurrences of the old import path anywhere in the codebase. 5. **No unrelated changes.** Diff is exactly 6 files, 8 insertions, 8 deletions — all directly related to the chi migration. No Makefile, `.golangci.yml`, test, or CI changes. 6. **`docker build .` — passes.** Lint, fmt-check, and tests all pass within the build. Clean, minimal, correct migration. Ready to merge.

clawbot added merge-ready and removed needs-review labels 2026-03-10 19:11:33 +01:00

clawbot removed their assignment 2026-03-10 19:11:34 +01:00

sneak was assigned by clawbot 2026-03-10 19:11:34 +01:00

clawbot referenced this pull request 2026-03-11 01:16:40 +01:00

[deps] Evaluate migration from chi v1 to chi/v5 #42

sneak merged commit f2e7a6ec85 into main 2026-03-13 00:32:10 +01:00

sneak deleted branch feature/chi-v5-migration 2026-03-13 00:32:11 +01:00

sneak referenced this issue from a commit 2026-03-13 00:32:12 +01:00

[deps] Migrate from chi v1 to chi/v5 (#73)

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bot

Agent's turn to work

merge-ready

All checks pass, reviewed, rebased, ready for merge

needs-checks

make check does not pass cleanly

needs-rebase

PR has merge conflicts or is behind main

needs-review

Code review not yet done

needs-rework

Code review found issues to fix

No Label bot merge-ready

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

clawbot sneak

No Assignees sneak

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: sneak/chat#73