chore(deps): bump github.com/caddyserver/caddy/v2 from 2.10.2 to 2.11.1 in the go-modules group

[dependabot]

Bumps the go-modules group with 1 update: github.com/caddyserver/caddy/v2.

Updates github.com/caddyserver/caddy/v2 from 2.10.2 to 2.11.1

Release notes

Sourced from github.com/caddyserver/caddy/v2's releases.

v2.11.1

Our community is pleased to announce Caddy 2.11! Of note are new features, numerous bug fixes including several security patches, and various QoL ("quality-of-life") enhancements.

There are no code changes from v2.11.0 other than to a CI job. Due to a recent external change that broke our release process, the first release of 2.11 is v2.11.1.

Special Sponsor Shoutout

Extra big thanks to our major sponsors:

• ZeroSSL
• Stripe
• Railway

They, along with dozens of smaller sponsors, make this project and new releases possible, together with our maintainer team. Thank you all!

Notable changes

• Encrypted ClientHello (ECH) keys are rotated automatically.
• Time-rolling options for logs.
• SIGUSR1 can now reload configuration if it was initially loaded from a file on the command line and did not get changed via the API.
• Reverse proxy now automatically rewrites the Host header to the address of the upstream when the upstream is HTTPS (#7454)
• log_append can now log request and response bodies, useful for debugging.
• Our project now implements and requires Assistance Disclosures (for AI/LLMs) on issues, PRs, comments, replies, reviews, etc.
• Many, many other minor improvements and bug fixes.

Thank you to everyone who was involved this release!

⚠️ Security patches

• fastcgi: CVE-2026-27590 by @​dunglas and @​AbdrrahimDahmani - Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport.
• admin: CVE-2026-27589 by @​1seal - Cross-origin requests attempted with no-cors mode could cause some API requests to succeed; such requests are now blocked. (In order for this to be practically exploitable, a web browser executing a malicious web page must be running locally to a production Caddy process.)
• caddyhttp: CVE-2026-27588 by Asim Viladi Oglu Manizada - The Host matcher becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass.
• caddyhttp: CVE-2026-27587 by Asim Viladi Oglu Manizada - The Path matcher skips case normalization for escape sequences, enabling path-based route/auth bypass.
• caddytls: CVE-2026-27586 by @​moscowchill - TLS client authentication silently fails open when CA certificate file is missing or malformed.
• caddyhttp: CVE-2026-27585 by @​parrot409 - Improper sanitization of glob characters in file matcher may lead to bypassing security protections.

What's Changed

• caddyhttp: add replacer placeholders for escaped values by @​Qusic in caddyserver/caddy#7181
• AI assistance disclosure by @​mholt in caddyserver/caddy#7212
• caddyfile: Prevent trailing space on line before env variable - Fixes #6881 by @​arpansaha13 in caddyserver/caddy#7215
• add: encode header Content-Type graphql-response by @​aro-lew in caddyserver/caddy#7214
• caddyhttp: Removing redundant middleware next copy by @​maxcelant in caddyserver/caddy#7217
• build(deps): bump the all-updates group with 17 updates by @​dependabot[bot] in caddyserver/caddy#7236
• build(deps): bump the actions-deps group with 5 updates by @​dependabot[bot] in caddyserver/caddy#7237
• encode: fix response corruption when handle_errors is used by @​Siomachkin in caddyserver/caddy#7235
• Fix PKI creation when auto_https is disabled (#7211) by @​Siomachkin in caddyserver/caddy#7238
• logging: Buffer the logs before config is loaded by @​francislavoie in caddyserver/caddy#7245
• fileserver: set Content-Length for precompressed files by @​WeidiDeng in caddyserver/caddy#7251
• refactor: use WaitGroup.Go to simplify code by @​mickychang9 in caddyserver/caddy#7253
• caddyfile: Allow block to do nothing if nothing passed to import by @​BeeJay28 in caddyserver/caddy#7206

... (truncated)

Commits

• 6610e2f chore: Disable windows/arm build target (Go 1.26 disabled) (#7503)
• 03243e4 go.mod: Upgrade dependencies
• cb436f0 fileserver: Fix tests on Windows
• a108119 Merge commit from fork
• eec32a0 Merge commit from fork
• a2825c5 fileserver: Replace \ with \ in file matcher paths
• db256b5 build(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#7497)
• 6772ffb Revert "listeners: Add support for named socket activation (#7243)"
• 95941a7 chore: Add nolints to work around haywire linters (#7493)
• 3adcafd admin: Fix tests locally, properly isolate storage (#7486)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions