chore(deps): bump the go group across 1 directory with 25 updates

[dependabot]

Bumps the go group with 18 updates in the / directory:

Package	From	To
github.com/elazarl/goproxy	1.7.2	1.8.3
github.com/getkin/kin-openapi	0.132.0	0.137.0
github.com/getsentry/sentry-go	0.45.1	0.46.1
github.com/go-git/go-git/v5	5.16.0	5.18.0
github.com/go-logr/logr	1.4.2	1.4.3
github.com/golang-jwt/jwt/v5	5.3.0	5.3.1
github.com/labstack/echo/v4	4.13.3	4.15.1
github.com/labstack/gommon	0.4.2	0.5.0
github.com/oapi-codegen/oapi-codegen/v2	2.5.0	2.6.0
github.com/oapi-codegen/runtime	1.1.2	1.4.0
github.com/onsi/ginkgo/v2	2.23.4	2.28.3
github.com/prometheus/client_golang	1.19.1	1.23.2
github.com/spf13/cobra	1.9.1	1.10.2
github.com/spf13/viper	1.20.1	1.21.0
k8s.io/api	0.33.0	0.36.0
k8s.io/client-go	0.33.0	0.36.0
k8s.io/metrics	0.33.0	0.36.0
sigs.k8s.io/controller-runtime	0.20.4	0.23.3

Updates github.com/elazarl/goproxy from 1.7.2 to 1.8.3

Release notes

Sourced from github.com/elazarl/goproxy's releases.

v1.8.3

What's Changed

• Fix MITM responses leaking upstream HTTP/2 protocol version by @​robmry in elazarl/goproxy#755
• Fix linting issues by @​ErikPelli in elazarl/goproxy#760

New Contributors

• @​robmry made their first contribution in elazarl/goproxy#755

Full Changelog: elazarl/goproxy@v1.8.2...v1.8.3

v1.8.2

What's Changed

• Fix NewResponse writing HTTP/0.0 status lines in MITM mode by @​JamieMagee in elazarl/goproxy#749

New Contributors

• @​JamieMagee made their first contribution in elazarl/goproxy#749

Full Changelog: elazarl/goproxy@v1.8.1...v1.8.2

v1.8.1

What's Changed

• Use chunked response when http2 content length is missing by @​ErikPelli in elazarl/goproxy#742
• Always close request body, even with a custom response by @​ErikPelli in elazarl/goproxy#744
• Merge HTTPMitmConnect and MitmConnect actions by @​ErikPelli in elazarl/goproxy#743

Full Changelog: elazarl/goproxy@v1.8.0...v1.8.1

v1.8.0

What's Changed

• Fix typo in example code snippet by @​PrinceShaji in elazarl/goproxy#653
• Bump golang.org/x/net from 0.35.0 to 0.36.0 in /ext by @​dependabot[bot] in elazarl/goproxy#656
• Only chunk MITM response when body was modified by @​Skn0tt in elazarl/goproxy#720
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in elazarl/goproxy#728
• Bump golangci/golangci-lint-action from 6 to 9 by @​dependabot[bot] in elazarl/goproxy#725
• Fix keep alive logic and replace legacy response write logic by @​ErikPelli in elazarl/goproxy#734
• Bump github.com/stretchr/testify from 1.10.0 to 1.11.1 in /ext by @​dependabot[bot] in elazarl/goproxy#708
• Bump github.com/coder/websocket from 1.8.12 to 1.8.14 in /examples by @​dependabot[bot] in elazarl/goproxy#711
• Bump actions/setup-go from 5 to 6 by @​dependabot[bot] in elazarl/goproxy#709
• fix auth remote proxy in cascadeproxy by @​mcarbonneaux in elazarl/goproxy#664
• Fix linter configuration & issues by @​ErikPelli in elazarl/goproxy#735

New Contributors

• @​PrinceShaji made their first contribution in elazarl/goproxy#653
• @​Skn0tt made their first contribution in elazarl/goproxy#720
• @​mcarbonneaux made their first contribution in elazarl/goproxy#664

Full Changelog: elazarl/goproxy@v1.7.2...v1.8.0

Commits

• eeb2adb Fix linting issues (#760)
• c46b83b Fix MITM responses leaking upstream HTTP/2 protocol version (#755)
• ffdf0b2 Fix NewResponse writing HTTP/0.0 status lines in MITM mode (#749)
• b343a9a Merge HTTPMitmConnect and MitmConnect actions and use the correct one based o...
• d6c78b7 Always close request body even if the proxy server had a custom response retu...
• c2d45c6 Reorganize funding section inside readme
• 44388f6 Use chunked response when http2 content length is missing (#742)
• 26d3e75 Fix linter configuration & issues (#735)
• 5f52967 fix auth remote proxy in cascadeproxy (#664)
• b81733c Bump actions/setup-go from 5 to 6 (#709)
• Additional commits viewable in compare view

Updates github.com/getkin/kin-openapi from 0.132.0 to 0.137.0

Release notes

Sourced from github.com/getkin/kin-openapi's releases.

v0.137.0

What's Changed

• revert to go 1.25 and revert cc4f8d99 by @​fenollp in getkin/kin-openapi#1161

Full Changelog: getkin/kin-openapi@v0.136.0...v0.137.0

v0.136.0

What's Changed

• openapi3: stop injecting contentless default in NewResponses() by @​0-don in getkin/kin-openapi#1148
• openapi3: standardize Origin json tag to "-" across all types by @​reuvenharrison in getkin/kin-openapi#1149
• Update usage message in cmd/validate by @​fenollp in getkin/kin-openapi#1150
• openapi3: fix determinism when handling discriminator mappings by @​fenollp in getkin/kin-openapi#1151
• feat: bump Go to 1.26 by @​fenollp in getkin/kin-openapi#1152
• openapi3: use componentNames for deterministic visitings by @​fenollp in getkin/kin-openapi#1153
• feat: add OpenAPI 3.1 support by @​reuvenharrison in getkin/kin-openapi#1125
• openapi3: add JoinFunc for custom $ref path resolution by @​reuvenharrison in getkin/kin-openapi#1154
• Add many many tests from ApisGuruOpenapiDirectory by @​fenollp in getkin/kin-openapi#1155
• openapi3: remove map-iteration order leaks causing flaky tests by @​cloudnativeninja in getkin/kin-openapi#1158
• openapi2conv: nil-guard components lookup in FromV3SchemaRef by @​SAY-5 in getkin/kin-openapi#1156
• Address various lint errors by @​fenollp in getkin/kin-openapi#1157

New Contributors

• @​0-don made their first contribution in getkin/kin-openapi#1148
• @​cloudnativeninja made their first contribution in getkin/kin-openapi#1158
• @​SAY-5 made their first contribution in getkin/kin-openapi#1156

Full Changelog: getkin/kin-openapi@v0.135.0...v0.136.0

v0.135.0

What's Changed

• openapi3: strip origin from Encodings and ServerVariables maps by @​reuvenharrison in getkin/kin-openapi#1132
• fix: update yaml3 to prevent panic on empty mapping node in sequence by @​reuvenharrison in getkin/kin-openapi#1133
• openapi3: strip origin from extension values to prevent spurious diffs by @​reuvenharrison in getkin/kin-openapi#1137
• openapi3: strip origin from slices in example values by @​reuvenharrison in getkin/kin-openapi#1138
• fix: bump yaml and yaml3 to v0.0.4 by @​reuvenharrison in getkin/kin-openapi#1136
• openapi3: OriginTree approach for origin tracking — separate pass, no inline stripping by @​reuvenharrison in getkin/kin-openapi#1142
• README: drop go-openapi/spec3 by @​zonescape in getkin/kin-openapi#1143
• fix: bump yaml3+yaml to v0.0.9 to fix -root schema origin by @​reuvenharrison in getkin/kin-openapi#1144
• openapi3: call ReadFromURIFunc before checking IsExternalRefsAllowed by @​reuvenharrison in getkin/kin-openapi#1146
• fix: use location.String() instead of location.Path for origin file tracking by @​reuvenharrison in getkin/kin-openapi#1145
• refactor: Replace sort usage with slices package by @​jedevc in getkin/kin-openapi#1147

New Contributors

• @​zonescape made their first contribution in getkin/kin-openapi#1143
• @​jedevc made their first contribution in getkin/kin-openapi#1147

Full Changelog: getkin/kin-openapi@v0.134.0...v0.135.0

v0.134.0

... (truncated)

Commits

• b641244 revert to go 1.25 and revert cc4f8d99
• ff4bce7 fix and upgrade goimports-reviser
• 028df2a refacto(tests): use t.Context instead of context.Background
• cc4f8d9 refacto: replace openapi3.*Ptr(..) funcs with new(..)
• df95b87 address various lint errors
• 3556929 openapi2conv: nil-guard components lookup in FromV3SchemaRef (#1156)
• 5a0a337 openapi3: remove map-iteration order leaks causing flaky tests (#1158)
• 3489553 openapi3: skip v3.1 load/validation flaky tests
• 3aa08cd openapi3: record v3.1 load/validation test failures
• 3179775 openapi3: enable testing for 3.1 documents
• Additional commits viewable in compare view

Updates github.com/getsentry/sentry-go from 0.45.1 to 0.46.1

Release notes

Sourced from github.com/getsentry/sentry-go's releases.

0.46.1

Bug Fixes 🐛

• Correctly capture request body for fasthttp and fiber by @​giortzisg in #1284
• (http) Avoid async transport shutdown panics by @​giortzisg in #1288
• (httpclient) Clone request before adding trace headers by @​giortzisg in #1290
• (scope) Use scoped client for request PII by @​giortzisg in #1289
• Safe concurrent access for span and scope by @​giortzisg in #1285

0.46.0

Breaking Changes 🛠

• Remove SetExtra by @​giortzisg in #1274
• Update compatibility policy to align with Go, supporting only the last two major Go versions by @​giortzisg in #1264
• Drop support for Go 1.24 by @​giortzisg in #1264

New Features ✨

• Add internal_sdk_error client report on serialization fail by @​giortzisg in #1273
• Add grpc integration support by @​ribice in #938
• Re-enable Telemetry Processor by default. To disable the behavior use the DisableTelemetryBuffer flag by @​giortzisg in #1254
• Simplify client DSN storage to internal/protocol.Dsn and make it safe to access by @​giortzisg in #1254

Internal Changes 🔧

Deps

• Bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 in /echo by @​dependabot in #1253
• Bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 in /crosstest by @​dependabot in #1272
• Bump golangci-lint action from 2.1.1 to 2.11.4 by @​giortzisg in #1265
• Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 in /otel by @​dependabot in #1256
• Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.40.0 to 1.43.0 in /otel/otlp by @​dependabot in #1255

Other

• Improve ci by @​giortzisg in #1271
• Add crosstest package by @​giortzisg in #1269
• Add sentrytest package by @​giortzisg in #1267

Changelog

Sourced from github.com/getsentry/sentry-go's changelog.

0.46.1

Bug Fixes 🐛

• Correctly capture request body for fasthttp and fiber. by @​giortzisg in #1284
• (http) Avoid async transport shutdown panics by @​giortzisg in #1288
• (httpclient) Clone request before adding trace headers by @​giortzisg in #1290
• (scope) Use scoped client for request PII by @​giortzisg in #1289
• Safe concurrent access for span and scope by @​giortzisg in #1285

0.46.0

Breaking Changes 🛠

• Remove SetExtra by @​giortzisg in #1274
• Update compatibility policy to align with Go, supporting only the last two major Go versions by @​giortzisg in #1264
• Drop support for Go 1.24 by @​giortzisg in #1264

New Features ✨

• Add internal_sdk_error client report on serialization fail by @​giortzisg in #1273
• Add grpc integration support by @​ribice in #938
• Re-enable Telemetry Processor by default. To disable the behavior use the DisableTelemetryBuffer flag by @​giortzisg in #1254
• Simplify client DSN storage to internal/protocol.Dsn and make it safe to access by @​giortzisg in #1254

Internal Changes 🔧

Deps

• Bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 in /echo by @​dependabot in #1253
• Bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 in /crosstest by @​dependabot in #1272
• Bump golangci-lint action from 2.1.1 to 2.11.4 by @​giortzisg in #1265
• Bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 in /otel by @​dependabot in #1256
• Bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.40.0 to 1.43.0 in /otel/otlp by @​dependabot in #1255

Other

• Improve ci by @​giortzisg in #1271
• Add crosstest package by @​giortzisg in #1269
• Add sentrytest package by @​giortzisg in #1267

Commits

• e972183 release: 0.46.1
• 6b9885c fix(http): avoid async transport shutdown panics (#1288)
• 79947a7 fix: safe concurrent access for span and scope (#1285)
• c8ea578 fix(scope): use scoped client for request PII (#1289)
• 0bb583e fix(httpclient): clone request before adding trace headers (#1290)
• bd20df0 fix(fasthttp,fiber): correctly capture request body on scope (#1284)
• 41f09e1 fix(lint): Resolve workspace submodule lint issues (#1276)
• 7a480f7 Merge branch 'release/0.46.0'
• 7e1f926 release: 0.46.0
• 55688a9 fix: keep replace directives (#1275)
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.16.0 to 5.18.0

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.18.0

What's Changed

• plumbing: transport/http, Add support for followRedirects policy by @​pjbgf in go-git/go-git#2004

Full Changelog: go-git/go-git@v5.17.2...v5.18.0

v5.17.2

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1941
• dotgit: skip writing pack files that already exist on disk by @​pjbgf in go-git/go-git#1944

⚠️ This release fixes a bug (go-git/go-git#1942) that blocked some users from upgrading to v5.17.1. Thanks @​pskrbasu for reporting it. 🙇

Full Changelog: go-git/go-git@v5.17.1...v5.17.2

v5.17.1

What's Changed

• build: Update module github.com/cloudflare/circl to v1.6.3 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1930
• [v5] plumbing: format/index, Improve v4 entry name validation by @​pjbgf in go-git/go-git#1935
• [v5] plumbing: format/idxfile, Fix version and fanout checks by @​pjbgf in go-git/go-git#1937

Full Changelog: go-git/go-git@v5.17.0...v5.17.1

v5.17.0

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1839
• git: worktree, optimize infiles function for very large repos by @​k-anshul in go-git/go-git#1853
• git: Add strict checks for supported extensions by @​pjbgf in go-git/go-git#1861
• backport, git: Improve Status() speed with new index.ModTime check by @​cedric-appdirect in go-git/go-git#1862
• storage: filesystem, Avoid overwriting loose obj files by @​pjbgf in go-git/go-git#1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

v5.16.5

What's Changed

• build: Update module golang.org/x/crypto to v0.45.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1744
• build: Bump Go test versions to 1.23-1.25 (v5) by @​pjbgf in go-git/go-git#1746
• [v5] git: worktree, Don't delete local untracked files when resetting worktree by @​Ch00k in go-git/go-git#1800
• Expand packfile checks by @​pjbgf in go-git/go-git#1836

Full Changelog: go-git/go-git@v5.16.4...v5.16.5

v5.16.4

What's Changed

• backport plumbing: format/idxfile, prevent panic by @​swills in go-git/go-git#1732
• [backport] build: test, Fix build on Windows. by @​pjbgf in go-git/go-git#1734

... (truncated)

Commits

• ea3e7ec Merge pull request #2004 from go-git/v5-http-hardening
• bcd20a9 plumbing: transport/http, Add support for followRedirects policy
• 45ae193 Merge pull request #1944 from go-git/fix-perms
• fda4f74 storage: filesystem/dotgit, Skip writing pack files that already exist on disk
• 2212dc7 Merge pull request #1941 from go-git/renovate/releases/v5.x-go-github.com-go-...
• ebb2d7d build: Update module github.com/go-git/go-git/v5 to v5.17.1 [SECURITY]
• 5e23dfd Merge pull request #1937 from pjbgf/idx-v5
• 6b38a32 Merge pull request #1935 from pjbgf/index-v5
• cd757fc plumbing: format/idxfile, Fix version and fanout checks
• 3ec0d70 plumbing: format/index, Fix tree extension invalidated entry parsing
• Additional commits viewable in compare view

Updates github.com/go-logr/logr from 1.4.2 to 1.4.3

Release notes

Sourced from github.com/go-logr/logr's releases.

v1.4.3

Minor release.

What's Changed

• Fix slog tests for 1.25 by @​hoeppi-google in go-logr/logr#361
• Remove one exception from Slog testing by @​thockin in go-logr/logr#362

New Contributors

• @​hoeppi-google made their first contribution in go-logr/logr#361

Full Changelog: go-logr/logr@v1.4.2...v1.4.3

Commits

• 38a1c47 build(deps): bump github/codeql-action from 3.28.17 to 3.28.18
• f08bedd build(deps): bump actions/setup-go from 5.4.0 to 5.5.0
• 6295e99 build(deps): bump golangci/golangci-lint-action from 7.0.0 to 8.0.0
• 028840d build(deps): bump github/codeql-action from 3.28.15 to 3.28.17
• 511e5fa Merge pull request #367 from go-logr/dependabot/github_actions/github/codeql-...
• d806463 build(deps): bump github/codeql-action from 3.28.13 to 3.28.15
• 158c311 Merge pull request #366 from thockin/master
• c79ddb3 Update to support golangci-lint v2
• 20a64ba build(deps): bump github/codeql-action from 3.28.12 to 3.28.13
• 0385e14 Add comments around slog exceptions
• Additional commits viewable in compare view

Updates github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1

Release notes

Sourced from github.com/golang-jwt/jwt/v5's releases.

v5.3.1

What's Changed

🔐 Features

• Add spellcheck Github action to catch common spelling mistakes by @​equalsgibson in golang-jwt/jwt#458
• Add WithNotBeforeRequired parser option and add test coverage by @​equalsgibson in golang-jwt/jwt#456
• Update godoc example func to properly refer to NewWithClaims() by @​equalsgibson in golang-jwt/jwt#459
• Update github workflows by @​mfridman in golang-jwt/jwt#462
• Additional test for CustomClaims that validates unmarshalling behaviour by @​equalsgibson in golang-jwt/jwt#457
• Fix early file close in jwt cli by @​mfridman in golang-jwt/jwt#472
• Add TPM signature reference by @​salrashid123 in golang-jwt/jwt#473
• Remove misleading ParserOptions documentation in golang-jwt/jwt#484
• Save signature to Token struct after successful signing by @​EgorSheff in golang-jwt/jwt#417
• Set token.Signature in ParseUnverified by @​slickwilli in golang-jwt/jwt#414

👒 Dependencies

• Bump crate-ci/typos from 1.34.0 to 1.35.3 by @​dependabot[bot] in golang-jwt/jwt#461
• Bump crate-ci/typos from 1.35.4 to 1.36.2 by @​dependabot[bot] in golang-jwt/jwt#470
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] in golang-jwt/jwt#478
• Bump crate-ci/typos from 1.36.2 to 1.39.0 by @​dependabot[bot] in golang-jwt/jwt#480
• Bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in golang-jwt/jwt#481
• Bump actions/setup-go from 5 to 6 by @​dependabot[bot] in golang-jwt/jwt#469
• Bump crate-ci/typos from 1.39.0 to 1.40.0 by @​dependabot[bot] in golang-jwt/jwt#488
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in golang-jwt/jwt#487
• Bump crate-ci/typos from 1.40.0 to 1.41.0 by @​dependabot[bot] in golang-jwt/jwt#490
• Bump crate-ci/typos from 1.41.0 to 1.42.1 by @​dependabot[bot] in golang-jwt/jwt#492

New Contributors

• @​equalsgibson made their first contribution in golang-jwt/jwt#458
• @​salrashid123 made their first contribution in golang-jwt/jwt#473
• @​EgorSheff made their first contribution in golang-jwt/jwt#417
• @​slickwilli made their first contribution in golang-jwt/jwt#414

Full Changelog: golang-jwt/jwt@v5.3.0...v5.3.1

Commits

• 7ceae61 Add release.yml for changelog configuration
• dce8e4d Set token.Signature in ParseUnverified (#414)
• 8889e20 Save signature to Token struct after successful signing (#417)
• d237f82 ci: update github-actions schedule interval to monthly
• d8dce95 Bump crate-ci/typos from 1.41.0 to 1.42.1 (#492)
• e931803 Bump crate-ci/typos from 1.40.0 to 1.41.0 (#490)
• e6a0afa Bump actions/checkout from 5 to 6 (#487)
• 9f85c9e Bump crate-ci/typos from 1.39.0 to 1.40.0 (#488)
• 60a8669 Bump actions/setup-go from 5 to 6 (#469)
• 76f5828 Remove misleading ParserOptions documentation (#484)
• Additional commits viewable in compare view

Updates github.com/labstack/echo/v4 from 4.13.3 to 4.15.1

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.1

What's Changed

• CSRF: support older token-based CSRF protection handler that want to render token into template by @​aldas in labstack/echo#2905

Full Changelog: labstack/echo@v4.15.0...v4.15.1

v4.15.0

Security

WARNING: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

• same-origin or none: Requests are allowed (exact origin match or direct user navigation)
• same-site: Falls back to token validation (e.g., subdomain to main domain)
• cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

• TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
• AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

Changelog

v5.1.0 - 2026-03-31

Security

This change does not break the API contract, but it does introduce breaking changes in logic/behavior. If your application is using c.RealIP() beware and read https://echo.labstack.com/docs/ip-address

v4 behavior can be restored with:

e := echo.New()
e.IPExtractor = echo.LegacyIPExtractor()

• Remove legacy IP extraction logic from context.RealIP method by @​aldas in labstack/echo#2933

Enhancements

• Add echo-opentelemetry to the README.md by @​aldas in labstack/echo#2908
• fix: correct spelling mistakes in comments and field name by @​crawfordxx in labstack/echo#2916
• Add https://github.com/labstack/echo-prometheus to the middleware list in README.md by @​aldas in labstack/echo#2919
• Add StartConfig.Listener so server with custom Listener is easier to create by @​aldas in labstack/echo#2920
• Fix rate limiter documentation for default burst value by @​karesansui-u in labstack/echo#2925
• Add doc comments to clarify usage of File related methods and leading slash handling by @​aldas in labstack/echo#2928
• Add NewDefaultFS function to help create filesystem that allows absolute paths by @​aldas in labstack/echo#2931
• Do not set http.Server.WriteTimeout in StartConfig by @​aldas in labstack/echo#2932

v5.0.4 - 2026-02-15

Enhancements

• Remove unused import 'errors' from README example by @​kumapower17 in labstack/echo#2889
• Fix Graceful shutdown: after http.Server.Serve returns we need to wait for graceful shutdown goroutine to finish by @​aldas in labstack/echo#2898
• Update location of oapi-codegen in README by @​mromaszewicz in labstack/echo#2896
• Add Go 1.26 to CI flow by @​aldas in labstack/echo#2899
• Add new function echo.StatusCode by @​suwakei in labstack/echo#2892
• CSRF: support older token-based CSRF protection handler that want to render token into template by @​aldas in labstack/echo#2894
• Add echo.ResolveResponseStatus function to help middleware/handlers determine HTTP status code and echo.Response by @​aldas in labstack/echo#2900

v5.0.3 - 2026-02-06

Security

• Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @​shblue21.

... (truncated)

Commits

• 6f3a84a Merge pull request #2905 from aldas/v4_crsf_token_fallback
• 24fa4d0 CSRF: support older token-based CSRF protection handler that want to render t...
• 482bb46 v4.15.0 changelog
• d0f9d1e CRSF with Sec-Fetch-Site=same-site falls back to legacy token
• f3fc618 CRSF with Sec-Fetch-Site checks
• 4dcb9b4 licence headers
• cbc0ac1 Add PathParam(Or)/QueryParam(Or)/FormParam(Or) generic functions
• 6b14f4e Add Context.Get generic functions
• 321530d disable test - returns different error under Windows
• c8abd9f disable flaky test
• Additional commits viewable in compare view

Updates github.com/labstack/gommon from 0.4.2 to 0.5.0

Release notes

Sourced from github.com/labstack/gommon's releases.

v0.5.0

Highlights

• email: SMTPS / implicit TLS on port 465. smtp.SendMail only speaks plain + STARTTLS, so Resend/SendGrid/etc. on :465 hang on the handshake. Detect port 465 and dial TLS directly. Added Email.TLSConfig (custom root pool / ServerName; always cloned per send) and Email.DialTimeout (scoped to the TCP/TLS connect phase).
• email: no silent cleartext downgrade. Drive Hello() explicitly so a failed EHLO can't be swallowed and mis-read as "STARTTLS not advertised".
• log: silence 14 go vet printf warnings. Split the internal log() method; public signatures unchanged. TestCallerFile guards the runtime.Caller skip.
• random: fix sync.Pool copy in New(). Construct the pool directly on the struct — sync.Pool must not be copied after first use.

Toolchain (breaking)

• Go directive bumped 1.18 → 1.23.0 to align with labstack/echo. Consumers on Go <1.23 should stay on v0.4.2.
• CI matrix: 1.23 / 1.24 / 1.25 / 1.26 × ubuntu / macos / windows.
• Deps refreshed: testify 1.8.4 → 1.11.1, go-colorable 0.1.13 → 0.1.14, go-isatty 0.0.20 → 0.0.21, x/sys 0.15.0 → 0.29.0 (highest that still supports Go 1.23).

Non-breaking code changes

• bytes/bytes_test.go: replaced Parse(\"8EiB\") assertions with Parse(\"7EiB\") — 2^63 overflowed int64 and relied on implementation-defined float-to-int behavior.

Full diff

labstack/gommon#62

Commits

• 2659cda fix: SMTPS support + align toolchain with echo (#62)
• See full diff in compare view

Updates github.com/oapi-codegen/oapi-codegen/v2 from 2.5.0 to 2.6.0

Release notes

Sourced from github.com/oapi-codegen/oapi-codegen/v2's releases.

v2.6.0: 7th anniversary release 🎂

For those that aren't aware, 7 years ago to the day, oapi-codegen was born!

(Well, technically it's tonight at midnight UTC, but who's splitting hairs?)

There's nothing too special...

Description has been truncated