Buffalo Files

Security

• Added automated vulnerability scanning with govulncheck CI job running on every push and PR
• Fixed multiple HIGH severity vulnerabilities in golang.org/x/net by upgrading to v0.45.0:
• CVE-2023-39325: HTTP/2 rapid reset attack
• CVE-2022-41721: Request smuggling in h2c
• CVE-2022-41723: Uncontrolled resource consumption
• CVE-2025-65637: DoS via large payloads without newlines
• Fixed multiple MEDIUM severity vulnerabilities in golang.org/x/net:
• CVE-2025-22872: XSS via HTML tokenizer
• CVE-2025-22870: HTTP Proxy bypass via IPv6 Zone IDs
• CVE-2022-41717: Excessive memory growth in HTTP/2
• CVE-2023-45288: HPACK continuation flood
• CVE-2023-44487: HTTP/2 Stream Cancellation Attack
• CVE-2023-3978: XSS in HTML parsing
• Added SECURITY.md with vulnerability reporting guidelines

Features

• Support for multiple file uploads — c.File() now supports uploading multiple files in a single form field (#2389)
• Template metadata injection — Templates can now access file metadata (path, base name, extension, modification time) via configurable keys. Added TemplateMetadataKeys and TemplateBaseDir to render options.
• Assert middleware — New testing middleware to assert handler behavior in unit tests (#2339)
• Better error context — Errors now display stack traces in development mode when the original error supports it

Code Modernization

• Modernized Go syntax — Replaced all interface{} with any (Go 1.18+)
• Updated error handling — Replaced deprecated os.IsNotExist with errors.Is(err, os.ErrNotExist) (Go 1.13+)
• Updated error messages to reference map[string]any

Performance Improvements

• Reduced memory allocations — Optimized Render() to avoid unnecessary memory allocations
• Improved DefaultContext performance — Replaced sync.Map with sync.Mutex for better concurrent performance

Refactoring

• Moved error templates to internal/templates/ directory and co-located embed directives in errors.go for better code organization
• Removed 4 direct dependencies by replacing with internal implementations:
• github.com/dustin/go-humanize → internal formatBytes()
• github.com/gobuffalo/grift → removed (was unused)
• github.com/psanford/memfs → testing/fstest.MapFS
• github.com/gobuffalo/nulls → internal/nulls package

Maintenance & Cleanup

• Updated to Go 1.25 — Minimum Go version raised to 1.25.0; CI tests with Go 1.25 and 1.26
• Removed unused dotfiles — Cleaned up legacy ESLint, CSSLint, Codecov, CodeClimate, and golangci configurations from pre-frontend-tooling era
• Organized go.mod — Separated direct and indirect dependencies for clarity
• Updated all gobuffalo dependencies to latest stable versions

Bug Fixes

• Fixed nulls.Time decoding — Empty values now correctly decode as NULL instead of "0001-01-01" (#2395)
• Fixed DefaultContext data loading — Resolved issue where DefaultContext wasn't properly loading newRequestData
• Improved test isolation — Added ResetContentType() method to Buffalo for better test isolation; fixed test pollution in template helper tests

CI/CD Improvements

• Updated CI workflow to test with Go 1.25 and 1.26
• Added govulncheck vulnerability scanning on all builds
• Updated GitHub Actions to latest versions

Note: This release contains important security fixes. All users are encouraged to upgrade promptly. Migration: No breaking changes. Update your go.mod:

:::bash
go get github.com/gobuffalo/buffalo@latest