Bump github.com/labstack/echo/v5 from 5.0.4 to 5.2.1

[dependabot]

Bumps github.com/labstack/echo/v5 from 5.0.4 to 5.2.1.

Release notes

Sourced from github.com/labstack/echo/v5's releases.

v5.2.1

Security

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

---

• revert PR #3009 changes to just disabling path escaping by default in static methods/middleware by @​aldas in labstack/echo#3016

Closes GHSA-vfp3-v2gw-7wfq more completely: the previous fix (#3009) rejected explicitly encoded separators at the handler level; this patch makes the no-unescape behavior the default so new configurations are safe without extra opt-out steps.

What changed: DisablePathUnescaping (on StaticConfig and StaticDirectoryHandlerConfig) is deprecated and replaced by EnablePathUnescaping (default false). Path unescaping is now opt-in.

What this protects: With EnablePathUnescaping: false (new default), encoded separators (%2F, %5C) are never decoded before routing or file lookup, so they cannot bypass route-level authentication or other middleware guards.

What this does NOT protect: Serving a directory with Static, StaticFS, or StaticDirectoryHandler exposes its entire subtree. Sibling routes are not a reliable ACL boundary — attach authorization middleware directly to the static mount, or serve sensitive sub-trees under separate guarded routes.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

</tr></table> 

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v5's changelog.

Changelog

v5.2.0 - 2026-06-14

Security

• fix(static): reject encoded path separators that bypass route-level middleware by @​vishr in labstack/echo#3009
• fix(middleware/static): don't double-unescape request path (#2599) by @​vishr in labstack/echo#3006

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler/StaticFS and the Static middleware are affected. Thanks to @​a-tt-om and @​oran-gugu for reporting.

Enhancements

• feat(middleware): optional RateLimiterStoreContext for response headers (#2961) by @​vishr in labstack/echo#3007
• perf: optimize core hot paths (chain, context, binding, responses) by @​vishr in labstack/echo#3008
• fix(binder): include field name in bind conversion errors (#2629) by @​vishr in labstack/echo#3005
• fix(binder): serialize BindingError to structured JSON (#2771) by @​vishr in labstack/echo#3004
• fix(binder): MustUnixTime docs say time.Time, not time.Duration by @​c-tonneslan in labstack/echo#2988
• fix(middleware): reset ContentLength after gzip decompression by @​shblue21 in labstack/echo#3000
• fix(middleware/proxy): append RealIP to X-Forwarded-For for WebSocket requests by @​kawaway in labstack/echo#2994
• Fix proxy panic when balancer has no targets by @​shblue21 in labstack/echo#2977
• fix(middleware): correct documented KeyAuth KeyLookup default by @​leestana01 in labstack/echo#2992
• test: lock in v5 group route method-handling (405 + OPTIONS) by @​vishr in labstack/echo#3003
• docs: liveness signals in README + public ROADMAP by @​vishr in labstack/echo#3002
• Fix typos in CSRFConfig comments by @​shblue21 in labstack/echo#2979
• refactor: modernize code usage using gofix by @​kumapower17 in labstack/echo#2970
• refactor: replace Split in loops with more efficient SplitSeq by @​box4wangjing in labstack/echo#2969
• refactor: use the built-in max/min to simplify the code by @​criciss in labstack/echo#2966
• Update GitHub actions deps versions by @​aldas in labstack/echo#2971

New Contributors

• @​criciss made their first contribution in labstack/echo#2966
• @​box4wangjing made their first contribution in labstack/echo#2969
• @​shblue21 made their first contribution in labstack/echo#2977
• @​c-tonneslan made their first contribution in labstack/echo#2988
• @​leestana01 made their first contribution in labstack/echo#2992
• @​kawaway made their first contribution in labstack/echo#2994

Full Changelog: labstack/echo@v5.1.1...v5.2.0

v5.1.1 - 2026-05-01

Security

• Context.Scheme() should validate values taken from header by @​aldas in labstack/echo#2953

Thanks to @​shblue21 for reporting this issue.

... (truncated)

Commits

• 78c3d95 revert PR #3009 changes to just disabling path escaping by default in static ...
• 5786024 Changelog for v5.2.0 (#3010)
• 8d1ae9d fix(static): reject encoded path separators that bypass route-level middlewar...
• c9477eb feat(middleware): optional RateLimiterStoreContext for response headers (#296...
• b1d65e4 perf: optimize core hot paths (chain, context, binding, responses) (#3008)
• a9ede66 fix(middleware/static): don't double-unescape request path (#2599) (#3006)
• ec9515a fix(binder): include field name in form/struct bind conversion errors (#2629)...
• dba8ff6 fix(binder): serialize BindingError to structured JSON (#2771) (#3004)
• 4f5ac60 test: lock in v5 group route method-handling (405 + OPTIONS) (#3003)
• b0a3916 docs: liveness signals in README + public ROADMAP (#3002)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)