Skip to content

build(deps): update module github.com/labstack/echo/v5 to v5.2.1#1110

Merged
mergify[bot] merged 2 commits into
masterfrom
renovate/github.com-labstack-echo-v5-5.x
Jun 25, 2026
Merged

build(deps): update module github.com/labstack/echo/v5 to v5.2.1#1110
mergify[bot] merged 2 commits into
masterfrom
renovate/github.com-labstack-echo-v5-5.x

Conversation

@renovate

@renovate renovate Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/labstack/echo/v5 v5.1.1v5.2.1 age confidence

Release Notes

labstack/echo (github.com/labstack/echo/v5)

v5.2.1

Compare Source

Security

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt

// 1. share `public/` folder contents from the server root. This folder actually contains subfolder `admin` which
// contents we want to forbid from downloading
e.Static("/", "public")

// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
    return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.


  • revert PR #​3009 changes to just disabling path escaping by default in static methods/middleware by @​aldas in #​3016

Closes GHSA-vfp3-v2gw-7wfq more completely: the previous fix (#​3009) rejected explicitly encoded
separators at the handler level; this patch makes the no-unescape behavior the default so new configurations are safe without extra opt-out steps.

What changed: DisablePathUnescaping (on StaticConfig and StaticDirectoryHandlerConfig) is deprecated and replaced by EnablePathUnescaping (default false). Path unescaping is now opt-in.

What this protects: With EnablePathUnescaping: false (new default), encoded separators (%2F, %5C) are never decoded before routing or file lookup, so they cannot
bypass route-level authentication or other middleware guards.

What this does NOT protect: Serving a directory with Static, StaticFS, or StaticDirectoryHandler exposes its entire subtree. Sibling routes are not a reliable
ACL boundary — attach authorization middleware directly to the static mount, or serve sensitive sub-trees under separate guarded routes.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txthello world.txt), you must now opt in:

// Static middleware
e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
    EnablePathUnescaping: true, // only safe when NOT relying on route-based ACL guards
    ...
}))

// StaticDirectoryHandler
middleware.StaticDirectoryHandler(fs, &middleware.StaticDirectoryHandlerConfig{
    EnablePathUnescaping: true,
})

Full Changelog: labstack/echo@v5.2.0...v5.2.1

v5.2.0

Compare Source

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler/StaticFS and the Static middleware are affected. Thanks to @​a-tt-om and @​oran-gugu for reporting.

Enhancements

New Contributors

Full Changelog: labstack/echo@v5.1.1...v5.2.0


Configuration

📅 Schedule: (in timezone Asia/Shanghai)

  • Branch creation
    • On day 3 of the month (* * 3 * *)
  • Automerge
    • On day 4, 5, 6, 7, and 8 of the month (* * 4,5,6,7,8 * *)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added ci:auto-merge dependencies Pull requests that update a dependency file labels Jun 25, 2026
@mergify

mergify Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Queued — the merge queue status continues in this comment ↓.

@mergify mergify Bot added the ci:queued label Jun 25, 2026
@mergify

mergify Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

  • Entered queue2026-06-25 09:10 UTC · Rule: renovate · triggered by rule Automatic merge on approval
  • Checks passed · in-place
  • Merged2026-06-25 09:16 UTC · at dabe4c324b3165b571b8564304013671d7095187

This pull request spent 5 minutes 54 seconds in the queue, including 3 minutes 41 seconds running CI.

Required conditions to merge

@renovate

renovate Bot commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@mergify mergify Bot merged commit f9fcee9 into master Jun 25, 2026
7 checks passed
@mergify mergify Bot deleted the renovate/github.com-labstack-echo-v5-5.x branch June 25, 2026 09:16
@mergify mergify Bot removed the ci:queued label Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci:auto-merge dependencies Pull requests that update a dependency file size/XS

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant