Download Latest Version skipper-v0.27.31-windows-amd64.zip (149.7 MB)
Email in envelope

Get an email when there's a new version of Skipper

Home / v0.27.29
Name Modified Size InfoDownloads / Week
Parent folder
skipper-v0.27.29-windows-amd64.zip < 14 hours ago 149.7 MB
skipper-v0.27.29-linux-armv7.tar.gz < 14 hours ago 136.7 MB
skipper-v0.27.29-linux-arm64.tar.gz < 14 hours ago 136.0 MB
skipper-v0.27.29-linux-amd64.tar.gz < 14 hours ago 148.1 MB
skipper-v0.27.29-darwin-arm64.tar.gz < 14 hours ago 147.6 MB
sha256sum.txt < 14 hours ago 613 Bytes
skipper-v0.27.29-darwin-amd64.tar.gz < 14 hours ago 156.4 MB
README.md < 15 hours ago 22.7 kB
v0.27.29 source code.tar.gz < 15 hours ago 5.1 MB
v0.27.29 source code.zip < 15 hours ago 6.1 MB
Totals: 10 Items   885.7 MB 0

Changes

build(deps): bump the all-go-mod-patch-and-minor group with 5 updates (#4134)

Bumps the all-go-mod-patch-and-minor group with 5 updates:

Package From To
github.com/coreos/go-oidc/v3
3.19.0 3.20.0
github.com/hashicorp/memberlist
0.5.4 0.6.0
github.com/molecule-man/go-brrr
1.0.0 1.0.1
github.com/pires/go-proxyproto
0.14.0 0.15.0
golang.org/x/net (github.com) 0.56.0
0.57.0

Updates github.com/coreos/go-oidc/v3 from 3.19.0 to 3.20.0

Release notes

Sourced from github.com/coreos/go-oidc/v3's releases.

v3.20.0

What's Changed

Full Changelog: https://github.com/coreos/go-oidc/compare/v3.19.0...v3.20.0

Commits
  • 75dfa5c oidc: add constants for "email" and "profile" scopes
  • a89f046 oidc: add API for determining when issuer URLs mismatch
  • 6a69b6d readme: update README and docs
  • f9049c9 oidc: ignore JWKs with unknown signing algorithms rather than failing
  • 2f178e0 SECURITY.md: add a security policy and point to project-level reporting
  • b3bc7da oidc: improve documentation for APIs
  • 0db9053 oidc: modernize with new Go APIs
  • See full diff in compare view


Updates github.com/hashicorp/memberlist from 0.5.4 to 0.6.0

Release notes

Sourced from github.com/hashicorp/memberlist's releases.

v0.6.0

What's Changed

Full Changelog: https://github.com/hashicorp/memberlist/compare/v0.5.4...v0.6.0

Commits


Updates github.com/molecule-man/go-brrr from 1.0.0 to 1.0.1

Release notes

Sourced from github.com/molecule-man/go-brrr's releases.

v1.0.1

Fixes:

  • use unsafe arithmetic only for the unalignedOK archs

Performance improvements:

  • convert blockHistograms fields into fixed-size arrays (q2 q3)

Full Changelog: https://github.com/molecule-man/go-brrr/compare/v1.0.0...v1.0.1

Commits
  • 8eab088 fix: use unsafe arithmetic only for the unalignedOK archs
  • 4664913 perf(q2 q3): convert blockHistograms fields into fixed-size arrays
  • f6ba1cc docs: update status, remove pre-v1 warning
  • da97de7 test(benchmarks): add random uncompressable payload
  • See full diff in compare view


Updates github.com/pires/go-proxyproto from 0.14.0 to 0.15.0

Release notes

Sourced from github.com/pires/go-proxyproto's releases.

v0.15.0

This release aligns the library with PROXY protocol spec 3.4 (2026/04/27). It tightens parsing and trust behavior to match the spec's requirements — which makes some previously accepted inputs and configurations fail loudly — and adds first-class support for the PROXY protocol over UDP.

⚠️ Breaking changes

The PROXY header is now required by default (2cd5f00e2b3010a0fa64f52f077a20fb304b72fa)

  • A new DefaultPolicy package variable, set to REQUIRE, is applied by NewConn and Listener.Accept when no policy is configured. The spec forbids guessing whether a header is present, so headerless connections now fail their first Read with ErrNoProxyProtocol.
  • To restore the previous lax behavior: proxyproto.DefaultPolicy = proxyproto.USE.
  • TrustProxyHeaderFrom is now strict: trusted peers get REQUIRE and untrusted peers are dropped by Accept with an error wrapping ErrInvalidUpstream. Previously, untrusted headerless clients could slip through as raw connections.

Stricter v1/v2 header parsing per spec 3.4 (5914db81c566830347865256ec22808fc39a0787)

  • v1: the full PROXY token is validated; IPv6 zone IDs are rejected; plain IPv4 addresses in TCP6 lines are rejected (set V1AcceptIPv4InTCP6 for nginx interop); ports are parsed with leading zeros rejected and ranges validated on formatting.
  • v2: the family/transport whitelist now applies to LOCAL commands too, rejecting undefined bytes per spec 2.2. LOCAL headers with a valid address block decode addresses and TLVs and round-trip; ill-fitting ones are normalized to UNSPEC.
  • New MaxV2HeaderSize variable bounds the declared v2 length (default 4096) — raise it if you carry large TLVs such as PP2_SUBTYPE_SSL_CLIENT_CERT.

✨ New features

PROXY protocol over UDP (499ef90567292b68d14248845f4050f5d917fa5e, fixes #79](https://github.com/href="https://redirect.github.com/pires/go-proxyproto/issues/79">/issues/79))

  • New ParseUDPDatagram and Header.FormatUDPDatagram implement the spec's per-datagram semantics (header and payload share a single datagram) for use with any net.PacketConn.
  • The library deliberately ships no net.PacketConn wrapper — reply routing needs an application-policy flow table — but examples/udppacketconn is a runnable sketch of that pattern, alongside examples/udpserver and examples/udpclient for the plain paths.

Reworked trust policies (2cd5f00e2b3010a0fa64f52f077a20fb304b72fa)

  • New PolicyFromRanges(ranges, matched, unmatched) and MustPolicyFromRanges supersede the whitelist policy family, which is deprecated and now delegates to them. The (REQUIRE, IGNORE) combination covers mixed proxied/direct traffic the old family couldn't express.
  • New CIDR-capable TrustProxyHeaderFromRanges.
  • All built-in policies wrap address-classification failures in ErrInvalidUpstream, so a single unclassifiable peer can no longer stop an accept loop.

TLV registry and PP2SSL caught up to spec 3.4 (4e80228ed95019bd7cba1d215fb169a008c146f5)

  • Registered() now includes PP2_TYPE_GROUP, PP2_SUBTYPE_SSL_SIG_SCHEME, and PP2_SUBTYPE_SSL_CLIENT_CERT.
  • New PP2SSL accessors: SSLSigAlg, SSLKeyAlg, SSLGroup, SSLSigScheme.

🐛 Fixes

  • Header.EqualsTo no longer panics on nil addresses (5914db81c566830347865256ec22808fc39a0787).
  • formatVersion2 folds TLV length into the declared length for Unix families instead of emitting TLVs past it (5914db81c566830347865256ec22808fc39a0787).

🧪 Testing & CI

  • New fuzz/table suites: exhaustive 256-transport-byte sweeps for both v2 commands, a LOCAL decode matrix, byte-for-byte round-trip stability, and FuzzRead parse–format–reparse invariants (5914db81c566830347865256ec22808fc39a0787).
  • CI gains a fuzz job that auto-discovers fuzz targets and uploads crashers as artifacts; workflow actions bumped across the board (af4b18ccae4375269802ff0831e5edf8c26c33c6).
  • Coverage for the http2 serveConn TLS handshake-failure branch (b01bea45dfd89272ed4ee72c7e7f96c94f1c89fc).

📚 Documentation

  • README rewritten against spec 3.4: new Security section with the spec's trust requirements, a UDP section, an examples table, and warnings about the new REQUIRE default (bd986c0a99dccc91fea506d5a6b8c14c5e0cda7c).
Commits
  • bd986c0 docs: rewrite README against PROXY protocol spec 3.4
  • af4b18c ci: add fuzz job, bump workflow actions
  • b01bea4 test: cover http2 serveConn TLS handshake failure
  • 499ef90 feat: support the PROXY protocol over UDP datagrams
  • 4e80228 feat: catch TLV registry and PP2SSL parsing up to spec 3.4
  • 2cd5f00 feat!: require the PROXY header by default and rework trust policies
  • 5914db8 fix!: align v1/v2 header parsing with PROXY protocol spec 3.4
  • See full diff in compare view


Updates golang.org/x/net from 0.56.0 to 0.57.0

Commits
  • b8f09f6 go.mod: update golang.org/x dependencies
  • f05f21b idna: reject all-ASCII xn-- labels on all Go versions
  • 0f748cf internal/http3: clean up stream I/O methods usages in tests
  • 0bb961e internal/http3: add net/http.ResponseController support
  • 0ca694d webdav: document Dir's lack of defense against filesystem modification
  • bd5f1dc http2: initialize Transport on NewClientConn
  • 488ff63 bpf: add security considerations to package docs
  • 93d1f25 xsrftoken: avoid token collisions
  • 5a3baee internal/http3: prevent panic in QPACK decoder due to overflow
  • See full diff in compare view


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions

Multiarch Docker image

Multiarch Docker image is available in GitHub's docker registry:

docker run -it ghcr.io/zalando/skipper:v0.27.29 skipper --help
Source: README.md, updated 2026-07-16