caddyserver · WeidiDeng · Jan 1, 2026 · diffray-bot · Jan 2, 2026 · diffray-bot
diff --git a/caddytest/integration/listener_test.go b/caddytest/integration/listener_test.go
@@ -3,7 +3,7 @@ package integration
 import (
 	"bytes"
 	"fmt"
-	"math/rand"
+	"math/rand/v2"
 	"net"
 	"net/http"
 	"strings"
@@ -54,7 +54,7 @@ func TestHTTPRedirectWrapperWithLargeUpload(t *testing.T) {
 	const uploadSize = (1024 * 1024) + 1 // 1 MB + 1 byte
 	// 1 more than an MB
 	body := make([]byte, uploadSize)
-	rand.New(rand.NewSource(0)).Read(body)
+	rand.NewChaCha8([32]byte{}).Read(body)
 
 	tester := setupListenerWrapperTest(t, func(writer http.ResponseWriter, request *http.Request) {
 		buf := new(bytes.Buffer)

diff --git a/modules/caddyhttp/caddyauth/basicauth.go b/modules/caddyhttp/caddyauth/basicauth.go
@@ -19,7 +19,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
-	weakrand "math/rand"
+	weakrand "math/rand/v2"
 	"net/http"
 	"strings"
 	"sync"
@@ -244,7 +244,7 @@ func (c *Cache) makeRoom() {
 		// strategy; generating random numbers is cheap and
 		// ensures a much better distribution.
 		//nolint:gosec
-		rnd := weakrand.Intn(len(c.cache))
+		rnd := weakrand.IntN(len(c.cache))
 		i := 0
 		for key := range c.cache {
 			if i == rnd {

diff --git a/modules/caddyhttp/errors.go b/modules/caddyhttp/errors.go
@@ -17,7 +17,7 @@ package caddyhttp
 import (
 	"errors"
 	"fmt"
-	weakrand "math/rand"
+	weakrand "math/rand/v2"
 	"path"
 	"runtime"
 	"strings"
@@ -98,7 +98,7 @@ func randString(n int, sameCase bool) string {
 	b := make([]byte, n)
 	for i := range b {
 		//nolint:gosec
-		b[i] = dict[weakrand.Int63()%int64(len(dict))]
+		b[i] = dict[weakrand.IntN(len(dict))]
 	}
 	return string(b)
 }

diff --git a/modules/caddyhttp/fileserver/staticfiles.go b/modules/caddyhttp/fileserver/staticfiles.go
@@ -20,7 +20,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	weakrand "math/rand"
+	weakrand "math/rand/v2"
 	"mime"
 	"net/http"
 	"os"
@@ -601,7 +601,7 @@ func (fsrv *FileServer) openFile(fileSystem fs.FS, filename string, w http.Respo
 		// maybe the server is under load and ran out of file descriptors?
 		// have client wait arbitrary seconds to help prevent a stampede
 		//nolint:gosec
-		backoff := weakrand.Intn(maxBackoff-minBackoff) + minBackoff
+		backoff := weakrand.IntN(maxBackoff-minBackoff) + minBackoff
 		w.Header().Set("Retry-After", strconv.Itoa(backoff))
 		if c := fsrv.logger.Check(zapcore.DebugLevel, "retry after backoff"); c != nil {
 			c.Write(zap.String("filename", filename), zap.Int("backoff", backoff), zap.Error(err))

diff --git a/modules/caddyhttp/reverseproxy/fastcgi/client_test.go b/modules/caddyhttp/reverseproxy/fastcgi/client_test.go
@@ -27,7 +27,7 @@ import (
 	"fmt"
 	"io"
 	"log"
-	"math/rand"
+	"math/rand/v2"
 	"net"
 	"net/http"
 	"net/http/fcgi"
@@ -197,7 +197,7 @@ func generateRandFile(size int) (p string, m string) {
 	h := md5.New()
 	for i := 0; i < size/16; i++ {
 		buf := make([]byte, 16)
-		binary.PutVarint(buf, rand.Int63())
+		binary.PutVarint(buf, rand.Int64())
 		if _, err := fo.Write(buf); err != nil {
 			log.Printf("[ERROR] failed to write buffer: %v\n", err)
 		}

diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go
@@ -21,7 +21,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
-	weakrand "math/rand"
+	weakrand "math/rand/v2"
 	"net"
 	"net/http"
 	"net/url"
@@ -265,7 +265,7 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
 			PreferGo: true,
 			Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
 				//nolint:gosec
-				addr := h.Resolver.netAddrs[weakrand.Intn(len(h.Resolver.netAddrs))]
+				addr := h.Resolver.netAddrs[weakrand.IntN(len(h.Resolver.netAddrs))]
 				return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
 			},
 		}

diff --git a/modules/caddyhttp/reverseproxy/selectionpolicies.go b/modules/caddyhttp/reverseproxy/selectionpolicies.go
@@ -20,7 +20,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"fmt"
-	weakrand "math/rand"
+	weakrand "math/rand/v2"
 	"net"
 	"net/http"
 	"strconv"
@@ -225,7 +225,7 @@ func (r RandomChoiceSelection) Select(pool UpstreamPool, _ *http.Request, _ http
 		if !upstream.Available() {
 			continue
 		}
-		j := weakrand.Intn(i + 1) //nolint:gosec
+		j := weakrand.IntN(i + 1) //nolint:gosec
 		if j < k {
 			choices[j] = upstream
 		}
@@ -274,7 +274,7 @@ func (LeastConnSelection) Select(pool UpstreamPool, _ *http.Request, _ http.Resp
 		// sample: https://en.wikipedia.org/wiki/Reservoir_sampling
 		if numReqs == leastReqs {
 			count++
-			if count == 1 || (weakrand.Int()%count) == 0 { //nolint:gosec
+			if count == 1 || weakrand.IntN(count) == 0 { //nolint:gosec
 				bestHost = host
 			}
 		}
@@ -788,7 +788,7 @@ func selectRandomHost(pool []*Upstream) *Upstream {
 		// upstream will always be chosen if there is at
 		// least one available
 		count++
-		if (weakrand.Int() % count) == 0 { //nolint:gosec
+		if weakrand.IntN(count) == 0 { //nolint:gosec
 			randomHost = upstream
 		}
 	}
@@ -827,7 +827,7 @@ func leastRequests(upstreams []*Upstream) *Upstream {
 	if len(best) == 1 {
 		return best[0]
 	}
-	return best[weakrand.Intn(len(best))] //nolint:gosec
+	return best[weakrand.IntN(len(best))] //nolint:gosec
 }
 
 // hostByHashing returns an available host from pool based on a hashable string s.

diff --git a/modules/caddyhttp/reverseproxy/streaming.go b/modules/caddyhttp/reverseproxy/streaming.go
@@ -24,7 +24,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	weakrand "math/rand"
+	weakrand "math/rand/v2"
 	"mime"
 	"net/http"
 	"sync"

diff --git a/modules/caddyhttp/reverseproxy/upstreams.go b/modules/caddyhttp/reverseproxy/upstreams.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	weakrand "math/rand"
+	weakrand "math/rand/v2"
 	"net"
 	"net/http"
 	"strconv"
@@ -102,7 +102,7 @@ func (su *SRVUpstreams) Provision(ctx caddy.Context) error {
 			PreferGo: true,
 			Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
 				//nolint:gosec
-				addr := su.Resolver.netAddrs[weakrand.Intn(len(su.Resolver.netAddrs))]
+				addr := su.Resolver.netAddrs[weakrand.IntN(len(su.Resolver.netAddrs))]
 				return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
 			},
 		}
@@ -322,7 +322,7 @@ func (au *AUpstreams) Provision(ctx caddy.Context) error {
 			PreferGo: true,
 			Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
 				//nolint:gosec
-				addr := au.Resolver.netAddrs[weakrand.Intn(len(au.Resolver.netAddrs))]
+				addr := au.Resolver.netAddrs[weakrand.IntN(len(au.Resolver.netAddrs))]
 				return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
 			},
 		}

diff --git a/modules/caddypki/acmeserver/acmeserver.go b/modules/caddypki/acmeserver/acmeserver.go
@@ -17,7 +17,7 @@ package acmeserver
 import (
 	"context"
 	"fmt"
-	weakrand "math/rand"
+	weakrand "math/rand/v2"
 	"net"
 	"net/http"
 	"os"
@@ -307,7 +307,7 @@ func (ash Handler) makeClient() (acme.Client, error) {
 			PreferGo: true,
 			Dial: func(ctx context.Context, network, address string) (net.Conn, error) {
 				//nolint:gosec
-				addr := ash.resolvers[weakrand.Intn(len(ash.resolvers))]
+				addr := ash.resolvers[weakrand.IntN(len(ash.resolvers))]
 				return dialer.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
 			},
 		}