chore(caddy): bump the go-modules group across 1 directory with 3 updates

[dependabot]

Bumps the go-modules group with 3 updates in the /caddy directory: github.com/caddyserver/certmagic, github.com/dunglas/mercure and github.com/dunglas/mercure/caddy.

Updates github.com/caddyserver/certmagic from 0.25.2 to 0.25.3

Commits

• c7496f1 More validation of delegated OCSP responders (#378)
• cdc4eb2 fix: Normalization IPv6 addresses for ACME challenge (#376)
• 2cf7e08 Revert "Fix HTTP-01 challenge for IPv6 literal addresses (#377)"
• 3e3363f readme: add dark-mode banner for GitHub UI (#379)
• 3229642 go.mod: Upgrade indirect dependencies
• 60d9d8b Fix HTTP-01 challenge for IPv6 literal addresses (#377)
• e03792e Modernize TLSConfig() (close #375)
• fa1257f Unblock ManageAsync() by putting manageOne() in a goroutine (#374)
• b9e85a9 Don't log nil errors when stapling OCSP (fix #362)
• a7a8ce3 logging: Disable stack traces, fix logger name (#372)
• See full diff in compare view

Updates github.com/dunglas/mercure from 0.22.1 to 0.23.2

Release notes

Sourced from github.com/dunglas/mercure's releases.

v0.23.2

This patch release makes rolling updates non-disruptive for production Mercure deployments: SSE subscribers now drain naturally on hub shutdown, the bundled Helm chart ships SSE-friendly rolling-update defaults out of the box, and a subtle BoltDB race that could leak post-subscribe events into the Last-Event-ID header is fixed.

🐛 Bug Fixes

• Shutdown: Drain SSE subscribers naturally on hub shutdown — the subscriber loop no longer reacts to the hub's context cancellation, so rolling replicas, graceful reloads, or SIGTERMs no longer close all active SSE connections at once. Existing connections keep running until the client disconnects or the per-connection write_timeout fires, letting k8s terminationGracePeriodSeconds bound the drain instead of producing a synchronized reconnect storm by @​dunglas in #1212
• Helm: Ship SSE-friendly rolling-update defaults on the Deployment — maxSurge=1 / maxUnavailable=0 (one pod at a time, no capacity drop), minReadySeconds=30 (quiet window for new pods to warm up), and terminationGracePeriodSeconds=660 (aligned with the default write_timeout plus margin, so #1212's graceful drain has time to complete before SIGKILL) by @​dunglas in #1213
• BoltDB: Stop leaking post-subscribe events into the Last-Event-ID response header — dispatchHistory now checks pastSeqBound before updating the response ID, and the bound uses a strict > comparison so empty-bucket subscribes no longer treat every subsequent write as history. Also fixes the flaky TestUnknownLastEventIDEmptyHistory on main by @​dunglas in #1215

---

These rolling-update improvements are also available to Mercure Cloud and Mercure Enterprise customers out of the box — with scale-tested Redis, Kafka, Pulsar, and Postgres transports, a managed SLA, and priority support. Contact contact@mercure.rocks for the managed cloud offering, on-premise licenses, custom development, consulting, and training.

Full Changelog: v0.23.1...v0.23.2

v0.23.1

Community

This patch release polishes the Helm chart and unifies release distribution. The ServiceMonitor template is now strict about label merging and relabelings, the Ingress default pathType no longer produces invalid manifests, Kubernetes probes hit 127.0.0.1 to avoid BusyBox IPv6 resolution issues, and the chart now declares a minimum supported cluster version. On the CI side, the Helm chart is now published as an asset of the hub's GitHub release so there's a single release artifact per version.

🐛 Bug Fixes

• Helm: Render the metrics.serviceMonitor.selector value as actual labels on the ServiceMonitor (previously documented but never emitted), fix relabelings indentation so user-provided list items render as valid YAML, split metricRelabelings from relabelings so each renders from its own value, and build metadata.labels as a merged dict so selector labels can't duplicate YAML keys or override chart identity labels by @​dunglas in #1206
• Helm: Default Ingress pathType to ImplementationSpecific when unset — networking.k8s.io/v1 requires the field on every path, so omitting it used to produce invalid manifests by @​dunglas in #1206
• Helm: Use 127.0.0.1 explicitly in readiness/liveness probes and the /stop preStop hook — Caddy's admin API binds IPv4-only, but BusyBox wget in caddy:2-alpine resolves localhost to ::1 first and fails the probes in a loop by @​dunglas in #1206
• Helm: Guard the HTTPRoute NOTES.txt branch so it no longer panics at render time when neither hostnames nor parentRefs are set by @​dunglas in #1206
• Helm: Pin kubeVersion: ">=1.23.0-0" to match the highest API used by optional templates (autoscaling/v2 HPA, policy/v1 PDB), so Helm blocks installs on older clusters upfront instead of failing at apply time by @​dunglas in #1206

⚙️ CI & Packaging

• Publish the Helm chart as an asset of the hub's GitHub release instead of a separate helm-chart-* release — one unified release artifact per version, with index.yaml entries pointing at releases/download/v<version>/mercure-<version>.tgz by @​dunglas in #1209
• Bump Caddy module dependencies (pgx/v5 5.9.2, timberjack 1.4.2, regexp2 1.12.0, genproto) by @​dunglas in #1210

Full Changelog: v0.23.0...v0.23.1

helm-chart-0.23.0

A Helm chart to install a Mercure Hub in a Kubernetes cluster. Mercure is a protocol to push data updates to web browsers and other HTTP clients in a convenient, fast, reliable and battery-efficient way.

v0.23.0

Community

Transport-aware health checks come to Mercure. Kubernetes (and any other orchestrator) can now detect when a hub's transport connection is actually broken, not just that the Caddy process is alive. This is especially valuable for Enterprise deployments backed by Redis, Postgres, Kafka, or Pulsar — but it also brings a small improvement for users of Bolt or the local transport. This release also adds HTTProute support and configurable deployment annotations in the Helm chart.

✨ New Features

• Transport-aware health check endpoints — a new TransportHealthChecker interface that transports can implement, and a new admin.api.mercure_health Caddy admin API module exposing /mercure/health/{ready,live} (aggregate) and /mercure/health/{hub}/{ready,live} (per-hub) endpoints. Hubs can be named via the new name Caddyfile directive. The Helm chart now enables transport-aware probes by default, with fallback to the legacy /healthz when healthCheck.enabled=false. The /healthz endpoint on the HTTP port is now deprecated — it only reflects that Caddy is running, not transport connectivity. Transports that don't implement the interface (Bolt, Local) are considered always-healthy. by @​dunglas in #1201
• Helm: Add support for HTTProute as an alternative to Ingress for Gateway API-based clusters by @​dunglas in #1122
• Helm: Allow configuring annotations on the Deployment resource by @​vmignot in #1160

Enterprise

... (truncated)

Commits

• 68308db chore: prepare release 0.23.2
• 5a0c8bd fix(bolt): stop leaking post-subscribe events into Last-Event-ID header (#1215)
• 84fe4eb fix(chart): multiple fixes + SSE-friendly rolling update defaults (#1213)
• 15ebb5c fix(subscribe): drain SSE subscribers naturally on hub shutdown (#1212)
• 2ae1758 chore: prepare release 0.23.1
• 5b4b0af chore(caddy): bump dependencies (#1210)
• 2a7da7f ci: publish Helm chart as an asset of the hub GitHub release (#1209)
• 6de9807 fix(chart): wire ServiceMonitor selector labels and pin kubeVersion (#1206)
• 9bf59c4 ci: bump actions/setup-node from 6 to 6.3.0
• 7193c85 chore: prepare release 0.23.0
• Additional commits viewable in compare view

Updates github.com/dunglas/mercure/caddy from 0.22.1 to 0.23.2

Release notes

Sourced from github.com/dunglas/mercure/caddy's releases.

v0.23.2

This patch release makes rolling updates non-disruptive for production Mercure deployments: SSE subscribers now drain naturally on hub shutdown, the bundled Helm chart ships SSE-friendly rolling-update defaults out of the box, and a subtle BoltDB race that could leak post-subscribe events into the Last-Event-ID header is fixed.

🐛 Bug Fixes

• Shutdown: Drain SSE subscribers naturally on hub shutdown — the subscriber loop no longer reacts to the hub's context cancellation, so rolling replicas, graceful reloads, or SIGTERMs no longer close all active SSE connections at once. Existing connections keep running until the client disconnects or the per-connection write_timeout fires, letting k8s terminationGracePeriodSeconds bound the drain instead of producing a synchronized reconnect storm by @​dunglas in #1212
• Helm: Ship SSE-friendly rolling-update defaults on the Deployment — maxSurge=1 / maxUnavailable=0 (one pod at a time, no capacity drop), minReadySeconds=30 (quiet window for new pods to warm up), and terminationGracePeriodSeconds=660 (aligned with the default write_timeout plus margin, so #1212's graceful drain has time to complete before SIGKILL) by @​dunglas in #1213
• BoltDB: Stop leaking post-subscribe events into the Last-Event-ID response header — dispatchHistory now checks pastSeqBound before updating the response ID, and the bound uses a strict > comparison so empty-bucket subscribes no longer treat every subsequent write as history. Also fixes the flaky TestUnknownLastEventIDEmptyHistory on main by @​dunglas in #1215

---

These rolling-update improvements are also available to Mercure Cloud and Mercure Enterprise customers out of the box — with scale-tested Redis, Kafka, Pulsar, and Postgres transports, a managed SLA, and priority support. Contact contact@mercure.rocks for the managed cloud offering, on-premise licenses, custom development, consulting, and training.

Full Changelog: v0.23.1...v0.23.2

v0.23.1

Community

This patch release polishes the Helm chart and unifies release distribution. The ServiceMonitor template is now strict about label merging and relabelings, the Ingress default pathType no longer produces invalid manifests, Kubernetes probes hit 127.0.0.1 to avoid BusyBox IPv6 resolution issues, and the chart now declares a minimum supported cluster version. On the CI side, the Helm chart is now published as an asset of the hub's GitHub release so there's a single release artifact per version.

🐛 Bug Fixes

• Helm: Render the metrics.serviceMonitor.selector value as actual labels on the ServiceMonitor (previously documented but never emitted), fix relabelings indentation so user-provided list items render as valid YAML, split metricRelabelings from relabelings so each renders from its own value, and build metadata.labels as a merged dict so selector labels can't duplicate YAML keys or override chart identity labels by @​dunglas in #1206
• Helm: Default Ingress pathType to ImplementationSpecific when unset — networking.k8s.io/v1 requires the field on every path, so omitting it used to produce invalid manifests by @​dunglas in #1206
• Helm: Use 127.0.0.1 explicitly in readiness/liveness probes and the /stop preStop hook — Caddy's admin API binds IPv4-only, but BusyBox wget in caddy:2-alpine resolves localhost to ::1 first and fails the probes in a loop by @​dunglas in #1206
• Helm: Guard the HTTPRoute NOTES.txt branch so it no longer panics at render time when neither hostnames nor parentRefs are set by @​dunglas in #1206
• Helm: Pin kubeVersion: ">=1.23.0-0" to match the highest API used by optional templates (autoscaling/v2 HPA, policy/v1 PDB), so Helm blocks installs on older clusters upfront instead of failing at apply time by @​dunglas in #1206

⚙️ CI & Packaging

• Publish the Helm chart as an asset of the hub's GitHub release instead of a separate helm-chart-* release — one unified release artifact per version, with index.yaml entries pointing at releases/download/v<version>/mercure-<version>.tgz by @​dunglas in #1209
• Bump Caddy module dependencies (pgx/v5 5.9.2, timberjack 1.4.2, regexp2 1.12.0, genproto) by @​dunglas in #1210

Full Changelog: v0.23.0...v0.23.1

helm-chart-0.23.0

A Helm chart to install a Mercure Hub in a Kubernetes cluster. Mercure is a protocol to push data updates to web browsers and other HTTP clients in a convenient, fast, reliable and battery-efficient way.

v0.23.0

Community

Transport-aware health checks come to Mercure. Kubernetes (and any other orchestrator) can now detect when a hub's transport connection is actually broken, not just that the Caddy process is alive. This is especially valuable for Enterprise deployments backed by Redis, Postgres, Kafka, or Pulsar — but it also brings a small improvement for users of Bolt or the local transport. This release also adds HTTProute support and configurable deployment annotations in the Helm chart.

✨ New Features

• Transport-aware health check endpoints — a new TransportHealthChecker interface that transports can implement, and a new admin.api.mercure_health Caddy admin API module exposing /mercure/health/{ready,live} (aggregate) and /mercure/health/{hub}/{ready,live} (per-hub) endpoints. Hubs can be named via the new name Caddyfile directive. The Helm chart now enables transport-aware probes by default, with fallback to the legacy /healthz when healthCheck.enabled=false. The /healthz endpoint on the HTTP port is now deprecated — it only reflects that Caddy is running, not transport connectivity. Transports that don't implement the interface (Bolt, Local) are considered always-healthy. by @​dunglas in #1201
• Helm: Add support for HTTProute as an alternative to Ingress for Gateway API-based clusters by @​dunglas in #1122
• Helm: Allow configuring annotations on the Deployment resource by @​vmignot in #1160

Enterprise

... (truncated)

Commits

• 68308db chore: prepare release 0.23.2
• 5a0c8bd fix(bolt): stop leaking post-subscribe events into Last-Event-ID header (#1215)
• 84fe4eb fix(chart): multiple fixes + SSE-friendly rolling update defaults (#1213)
• 15ebb5c fix(subscribe): drain SSE subscribers naturally on hub shutdown (#1212)
• 2ae1758 chore: prepare release 0.23.1
• 5b4b0af chore(caddy): bump dependencies (#1210)
• 2a7da7f ci: publish Helm chart as an asset of the hub GitHub release (#1209)
• 6de9807 fix(chart): wire ServiceMonitor selector labels and pin kubeVersion (#1206)
• 9bf59c4 ci: bump actions/setup-node from 6 to 6.3.0
• 7193c85 chore: prepare release 0.23.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions