chore(deps): bump github.com/caddyserver/caddy/v2 from 2.10.0 to 2.11.1

[dependabot]

Bumps github.com/caddyserver/caddy/v2 from 2.10.0 to 2.11.1.

Release notes

Sourced from github.com/caddyserver/caddy/v2's releases.

v2.11.1

Our community is pleased to announce Caddy 2.11! Of note are new features, numerous bug fixes including several security patches, and various QoL ("quality-of-life") enhancements.

There are no code changes from v2.11.0 other than to a CI job. Due to a recent external change that broke our release process, the first release of 2.11 is v2.11.1.

Special Sponsor Shoutout

Extra big thanks to our major sponsors:

• ZeroSSL
• Stripe
• Railway

They, along with dozens of smaller sponsors, make this project and new releases possible, together with our maintainer team. Thank you all!

Notable changes

• Encrypted ClientHello (ECH) keys are rotated automatically.
• Time-rolling options for logs.
• SIGUSR1 can now reload configuration if it was initially loaded from a file on the command line and did not get changed via the API.
• Reverse proxy now automatically rewrites the Host header to the address of the upstream when the upstream is HTTPS (#7454)
• log_append can now log request and response bodies, useful for debugging.
• Our project now implements and requires Assistance Disclosures (for AI/LLMs) on issues, PRs, comments, replies, reviews, etc.
• Many, many other minor improvements and bug fixes.

Thank you to everyone who was involved this release!

⚠️ Security patches

• fastcgi: CVE-2026-27590 by @​dunglas and @​AbdrrahimDahmani - Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INFO confusion) in FastCGI transport.
• admin: CVE-2026-27589 by @​1seal - Cross-origin requests attempted with no-cors mode could cause some API requests to succeed; such requests are now blocked. (In order for this to be practically exploitable, a web browser executing a malicious web page must be running locally to a production Caddy process.)
• caddyhttp: CVE-2026-27588 by Asim Viladi Oglu Manizada - The Host matcher becomes case-sensitive for large host lists (>100), enabling host-based route/auth bypass.
• caddyhttp: CVE-2026-27587 by Asim Viladi Oglu Manizada - The Path matcher skips case normalization for escape sequences, enabling path-based route/auth bypass.
• caddytls: CVE-2026-27586 by @​moscowchill - TLS client authentication silently fails open when CA certificate file is missing or malformed.
• caddyhttp: CVE-2026-27585 by @​parrot409 - Improper sanitization of glob characters in file matcher may lead to bypassing security protections.

🚨 Notice for Caddy plugin maintainers: Dependabot will probably alert you to the security fixes in Caddy and urge you to upgrade it in your go.mod file. Please ONLY upgrade the Caddy dependency if there's a change to an exported API your plugin uses. (Then, turn Dependabot off.)

What's Changed

• caddyhttp: add replacer placeholders for escaped values by @​Qusic in caddyserver/caddy#7181
• AI assistance disclosure by @​mholt in caddyserver/caddy#7212
• caddyfile: Prevent trailing space on line before env variable - Fixes #6881 by @​arpansaha13 in caddyserver/caddy#7215
• add: encode header Content-Type graphql-response by @​aro-lew in caddyserver/caddy#7214
• caddyhttp: Removing redundant middleware next copy by @​maxcelant in caddyserver/caddy#7217
• build(deps): bump the all-updates group with 17 updates by @​dependabot[bot] in caddyserver/caddy#7236
• build(deps): bump the actions-deps group with 5 updates by @​dependabot[bot] in caddyserver/caddy#7237
• encode: fix response corruption when handle_errors is used by @​Siomachkin in caddyserver/caddy#7235
• Fix PKI creation when auto_https is disabled (#7211) by @​Siomachkin in caddyserver/caddy#7238
• logging: Buffer the logs before config is loaded by @​francislavoie in caddyserver/caddy#7245
• fileserver: set Content-Length for precompressed files by @​WeidiDeng in caddyserver/caddy#7251

... (truncated)

Commits

• 6610e2f chore: Disable windows/arm build target (Go 1.26 disabled) (#7503)
• 03243e4 go.mod: Upgrade dependencies
• cb436f0 fileserver: Fix tests on Windows
• a108119 Merge commit from fork
• eec32a0 Merge commit from fork
• a2825c5 fileserver: Replace \ with \ in file matcher paths
• db256b5 build(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 (#7497)
• 6772ffb Revert "listeners: Add support for named socket activation (#7243)"
• 95941a7 chore: Add nolints to work around haywire linters (#7493)
• 3adcafd admin: Fix tests locally, properly isolate storage (#7486)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[netlify]

✅ Deploy Preview for teal-sprinkles-4c7f14 canceled.

Name	Link
🔨 Latest commit	054b0ba
🔍 Latest deploy log	https://app.netlify.com/projects/teal-sprinkles-4c7f14/deploys/699e2916a7a48f0008225f69