fix(deps): update module github.com/labstack/echo/v4 to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v4	v4.15.1 → v5.2.1

---

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v5.2.1

Compare Source

Security

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt

// 1. share `public/` folder contents from the server root. This folder actually contains subfolder `admin` which
// contents we want to forbid from downloading
e.Static("/", "public")

// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
    return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

---

• revert PR #​3009 changes to just disabling path escaping by default in static methods/middleware by @​aldas in #​3016

Closes GHSA-vfp3-v2gw-7wfq more completely: the previous fix (#​3009) rejected explicitly encoded
separators at the handler level; this patch makes the no-unescape behavior the default so new configurations are safe without extra opt-out steps.

What changed: DisablePathUnescaping (on StaticConfig and StaticDirectoryHandlerConfig) is deprecated and replaced by EnablePathUnescaping (default false). Path unescaping is now opt-in.

What this protects: With EnablePathUnescaping: false (new default), encoded separators (%2F, %5C) are never decoded before routing or file lookup, so they cannot
bypass route-level authentication or other middleware guards.

What this does NOT protect: Serving a directory with Static, StaticFS, or StaticDirectoryHandler exposes its entire subtree. Sibling routes are not a reliable
ACL boundary — attach authorization middleware directly to the static mount, or serve sensitive sub-trees under separate guarded routes.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

// Static middleware
e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
    EnablePathUnescaping: true, // only safe when NOT relying on route-based ACL guards
    ...
}))

// StaticDirectoryHandler
middleware.StaticDirectoryHandler(fs, &middleware.StaticDirectoryHandlerConfig{
    EnablePathUnescaping: true,
})

Full Changelog: labstack/echo@v5.2.0...v5.2.1

v5.2.0

Compare Source

Security

• fix(static): reject encoded path separators that bypass route-level middleware by @​vishr in #​3009
• fix(middleware/static): don't double-unescape request path (#​2599) by @​vishr in #​3006

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler/StaticFS and the Static middleware are affected. Thanks to @​a-tt-om and @​oran-gugu for reporting.

Enhancements

• feat(middleware): optional RateLimiterStoreContext for response headers (#​2961) by @​vishr in #​3007
• perf: optimize core hot paths (chain, context, binding, responses) by @​vishr in #​3008
• fix(binder): include field name in bind conversion errors (#​2629) by @​vishr in #​3005
• fix(binder): serialize BindingError to structured JSON (#​2771) by @​vishr in #​3004
• fix(binder): MustUnixTime docs say time.Time, not time.Duration by @​c-tonneslan in #​2988
• fix(middleware): reset ContentLength after gzip decompression by @​shblue21 in #​3000
• fix(middleware/proxy): append RealIP to X-Forwarded-For for WebSocket requests by @​kawaway in #​2994
• Fix proxy panic when balancer has no targets by @​shblue21 in #​2977
• fix(middleware): correct documented KeyAuth KeyLookup default by @​leestana01 in #​2992
• test: lock in v5 group route method-handling (405 + OPTIONS) by @​vishr in #​3003
• docs: liveness signals in README + public ROADMAP by @​vishr in #​3002
• Fix typos in CSRFConfig comments by @​shblue21 in #​2979
• refactor: modernize code usage using gofix by @​kumapower17 in #​2970
• refactor: replace Split in loops with more efficient SplitSeq by @​box4wangjing in #​2969
• refactor: use the built-in max/min to simplify the code by @​criciss in #​2966
• Update GitHub actions deps versions by @​aldas in #​2971

New Contributors

• @​criciss made their first contribution in #​2966
• @​box4wangjing made their first contribution in #​2969
• @​shblue21 made their first contribution in #​2977
• @​c-tonneslan made their first contribution in #​2988
• @​leestana01 made their first contribution in #​2992
• @​kawaway made their first contribution in #​2994

Full Changelog: labstack/echo@v5.1.1...v5.2.0

v5.1.1

Compare Source

Security

• Context.Scheme() should validate values taken from header by @​aldas in #​2953

Thanks to @​shblue21 for reporting this issue.

Enhancements

• Add golangci linter configuration by @​aldas in #​2930
• Make StartConfig listener creation context-aware by @​EricGusmao in #​2936
• fix(lint): resolve staticcheck issues and improve code quality by @​itsllyaz in #​2941
• Context.Scheme should validate values taken from header by @​aldas in #​2953
• chore: fix typos in httperror.go by @​tisonkun in #​2958
• Context.Json should not unwrap response by @​aldas in #​2964

v5.1.0

Compare Source

Security

This change does not break the API contract, but it does introduce breaking changes in logic/behavior.
If your application is using c.RealIP() beware and read https://echo.labstack.com/docs/ip-address

v4 behavior can be restored with:

e := echo.New()
e.IPExtractor = echo.LegacyIPExtractor()

• Remove legacy IP extraction logic from context.RealIP method by @​aldas in #​2933

Enhancements

• Add echo-opentelemetry to the README.md by @​aldas in #​2908
• fix: correct spelling mistakes in comments and field name by @​crawfordxx in #​2916
• Add https://github.com/labstack/echo-prometheus to the middleware list in README.md by @​aldas in #​2919
• Add StartConfig.Listener so server with custom Listener is easier to create by @​aldas in #​2920
• Fix rate limiter documentation for default burst value by @​karesansui-u in #​2925
• Add doc comments to clarify usage of File related methods and leading slash handling by @​aldas in #​2928
• Add NewDefaultFS function to help create filesystem that allows absolute paths by @​aldas in #​2931
• Do not set http.Server.WriteTimeout in StartConfig by @​aldas in #​2932

v5.0.4

Compare Source

Enhancements

• Remove unused import 'errors' from README example by @​kumapower17 in #​2889
• Fix Graceful shutdown: after http.Server.Serve returns we need to wait for graceful shutdown goroutine to finish by @​aldas in #​2898
• Update location of oapi-codegen in README by @​mromaszewicz in #​2896
• Add Go 1.26 to CI flow by @​aldas in #​2899
• Add new function echo.StatusCode by @​suwakei in #​2892
• CSRF: support older token-based CSRF protection handler that want to render token into template by @​aldas in #​2894
• Add echo.ResolveResponseStatus function to help middleware/handlers determine HTTP status code and echo.Response by @​aldas in #​2900

v5.0.3

Compare Source

Security

• Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @​shblue21.

This applies to cases when:

• Windows is used as OS
• middleware.StaticConfig.Filesystem is nil (default)
• echo.Filesystem is has not been set explicitly (default)

Exposure is restricted to the active process working directory and its subfolders.

v5.0.2

Compare Source

Security

• Fix Static middleware with config.Browse=true lists all files/subfolders from config.Filesystem root and not starting from config.Root in #​2887

v5.0.1

Compare Source

• Panic MW: will now return a custom PanicStackError with stack trace by @​aldas in #​2871
• Docs: add missing err parameter to DenyHandler example by @​cgalibern in #​2878
• improve: improve websocket checks in IsWebSocket() [per RFC 6455] by @​raju-mechatronics in #​2875
• fix: Context.Json() should not send status code before serialization is complete by @​aldas in #​2877

v5.0.0

Compare Source

Echo v5 is maintenance release with major breaking changes

• Context is now struct instead of interface and we can add method to it in the future in minor versions.
• Adds new Router interface for possible new routing implementations.
• Drops old logging interface and uses moderm log/slog instead.
• Rearranges alot of methods/function signatures to make them more consistent.

Upgrade notes and v4 support:

• Echo v4 is supported with security* updates and bug fixes until 2026-12-31
• If you are using Echo in a production environment, it is recommended to wait until after 2026-03-31 before upgrading.
• Until 2026-03-31, any critical issues requiring breaking v5 API changes will be addressed, even if this violates semantic versioning.

See API_CHANGES_V5.md for public API changes between v4 and v5, notes on upgrading.

Upgrading TLDR:

If you are using Linux you can migrate easier parts like that:

find . -type f -name "*.go" -exec sed -i 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i 's/echo\/v4/echo\/v5/g' {} +

macOS

find . -type f -name "*.go" -exec sed -i '' 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i '' 's/echo\/v4/echo\/v5/g' {} +

or in your favorite IDE

Replace all:

1. echo.Context -> *echo.Context
2. echo/v4 -> echo/v5

This should solve most of the issues. Probably the hardest part is updating all the tests.

v4.15.4

Compare Source

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#​3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.

---

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt

// 1. share `public/` folder contents from the server root. This folder actually contains subfolder `admin` which
// contents we want to forbid from downloading
e.Static("/", "public")

// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
    return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

Full Changelog: labstack/echo@v4.15.3...v4.15.4

v4.15.3: - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Compare Source

Security

• fix(static): reject encoded path separators that bypass route-level middleware by @​vishr in #​3011

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#​3009, released in v5.2.0). Thanks to @​a-tt-om and @​oran-gugu for reporting.

Full Changelog: labstack/echo@v4.15.2...v4.15.3

v4.15.2: - Context.Scheme() header validation

Compare Source

Security

• Context.Scheme() should validate values taken from header by @​aldas in #​2962

Thanks to @​shblue21 for reporting this issue.

Full Changelog: labstack/echo@v4.15.1...v4.15.2

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 11 additional dependencies were updated

Details:

Package	Change
github.com/labstack/gommon	v0.4.2 -> v0.5.0
github.com/mattn/go-colorable	v0.1.14 -> v0.1.15
github.com/mattn/go-isatty	v0.0.20 -> v0.0.22
golang.org/x/crypto	v0.49.0 -> v0.53.0
golang.org/x/mod	v0.34.0 -> v0.36.0
golang.org/x/net	v0.52.0 -> v0.56.0
golang.org/x/sync	v0.20.0 -> v0.21.0
golang.org/x/sys	v0.42.0 -> v0.46.0
golang.org/x/text	v0.35.0 -> v0.38.0
golang.org/x/time	v0.14.0 -> v0.15.0
golang.org/x/tools	v0.43.0 -> v0.45.0