Update module github.com/labstack/echo/v5 to v5.2.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v5	v5.1.1 → v5.2.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

labstack/echo (github.com/labstack/echo/v5)

v5.2.1

Compare Source

Security

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt

// 1. share `public/` folder contents from the server root. This folder actually contains subfolder `admin` which
// contents we want to forbid from downloading
e.Static("/", "public")

// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
    return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

---

• revert PR #​3009 changes to just disabling path escaping by default in static methods/middleware by @​aldas in #​3016

Closes GHSA-vfp3-v2gw-7wfq more completely: the previous fix (#​3009) rejected explicitly encoded
separators at the handler level; this patch makes the no-unescape behavior the default so new configurations are safe without extra opt-out steps.

What changed: DisablePathUnescaping (on StaticConfig and StaticDirectoryHandlerConfig) is deprecated and replaced by EnablePathUnescaping (default false). Path unescaping is now opt-in.

What this protects: With EnablePathUnescaping: false (new default), encoded separators (%2F, %5C) are never decoded before routing or file lookup, so they cannot
bypass route-level authentication or other middleware guards.

What this does NOT protect: Serving a directory with Static, StaticFS, or StaticDirectoryHandler exposes its entire subtree. Sibling routes are not a reliable
ACL boundary — attach authorization middleware directly to the static mount, or serve sensitive sub-trees under separate guarded routes.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

// Static middleware
e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
    EnablePathUnescaping: true, // only safe when NOT relying on route-based ACL guards
    ...
}))

// StaticDirectoryHandler
middleware.StaticDirectoryHandler(fs, &middleware.StaticDirectoryHandlerConfig{
    EnablePathUnescaping: true,
})

Full Changelog: labstack/echo@v5.2.0...v5.2.1

v5.2.0

Compare Source

Security

• fix(static): reject encoded path separators that bypass route-level middleware by @​vishr in #​3009
• fix(middleware/static): don't double-unescape request path (#​2599) by @​vishr in #​3006

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler/StaticFS and the Static middleware are affected. Thanks to @​a-tt-om and @​oran-gugu for reporting.

Enhancements

• feat(middleware): optional RateLimiterStoreContext for response headers (#​2961) by @​vishr in #​3007
• perf: optimize core hot paths (chain, context, binding, responses) by @​vishr in #​3008
• fix(binder): include field name in bind conversion errors (#​2629) by @​vishr in #​3005
• fix(binder): serialize BindingError to structured JSON (#​2771) by @​vishr in #​3004
• fix(binder): MustUnixTime docs say time.Time, not time.Duration by @​c-tonneslan in #​2988
• fix(middleware): reset ContentLength after gzip decompression by @​shblue21 in #​3000
• fix(middleware/proxy): append RealIP to X-Forwarded-For for WebSocket requests by @​kawaway in #​2994
• Fix proxy panic when balancer has no targets by @​shblue21 in #​2977
• fix(middleware): correct documented KeyAuth KeyLookup default by @​leestana01 in #​2992
• test: lock in v5 group route method-handling (405 + OPTIONS) by @​vishr in #​3003
• docs: liveness signals in README + public ROADMAP by @​vishr in #​3002
• Fix typos in CSRFConfig comments by @​shblue21 in #​2979
• refactor: modernize code usage using gofix by @​kumapower17 in #​2970
• refactor: replace Split in loops with more efficient SplitSeq by @​box4wangjing in #​2969
• refactor: use the built-in max/min to simplify the code by @​criciss in #​2966
• Update GitHub actions deps versions by @​aldas in #​2971

New Contributors

• @​criciss made their first contribution in #​2966
• @​box4wangjing made their first contribution in #​2969
• @​shblue21 made their first contribution in #​2977
• @​c-tonneslan made their first contribution in #​2988
• @​leestana01 made their first contribution in #​2992
• @​kawaway made their first contribution in #​2994

Full Changelog: labstack/echo@v5.1.1...v5.2.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.