Skip to content

chore(deps)(deps): bump the go-deps group across 1 directory with 7 updates#29

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-deps-df154eee13
Closed

chore(deps)(deps): bump the go-deps group across 1 directory with 7 updates#29
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-deps-df154eee13

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown

Bumps the go-deps group with 7 updates in the / directory:

Package From To
github.com/gin-gonic/gin 1.10.0 1.12.0
google.golang.org/grpc 1.66.0 1.81.1
github.com/coder/websocket 1.8.12 1.8.15
github.com/redis/go-redis/v9 9.7.0 9.21.0
github.com/go-chi/chi/v5 5.1.0 5.3.0
github.com/labstack/echo/v4 4.12.0 4.15.4
github.com/gofiber/fiber/v2 2.52.4 2.52.13

Updates github.com/gin-gonic/gin from 1.10.0 to 1.12.0

Release notes

Sourced from github.com/gin-gonic/gin's releases.

v1.12.0

Changelog

Features

  • 192ac89eefc1c30f7c97ae48a9ffb1c6f1c8c8bc: feat(binding): add support for encoding.UnmarshalText in uri/query binding (#4203) (@​takanuva15)
  • 53410d2e07054369e0960fbe2eed97e1b9966f12: feat(context): add GetError and GetErrorSlice methods for error retrieval (#4502) (@​raju-mechatronics)
  • acc55e049e33b401e810dbd8c0d6dcb6b3ba2b05: feat(context): add Protocol Buffers support to content negotiation (#4423) (@​1911860538)
  • 38e765119241d990705169bedb5002a29ae0cbd1: feat(context): implemented Delete method (@​Spyder01)
  • 771dcc6476d7bc6abb9ec0235ecefa4d38fe6fb0: feat(gin): add option to use escaped path (#4420) (@​ldesauw)
  • 4dec17afdff48e8018c83618fbbe69fceeb2b41d: feat(logger): color latency (#4146) (@​wsyqn6)
  • d7776de7d444935ea4385999711bd6331a98fecb: feat(render): add bson protocol (#4145) (@​laurentcau)

Bug fixes

  • b917b14ff9d189f16a7492be79d123a47806ee19: fix(binding): empty value error (#2169) (@​guonaihong)
  • c3d1092b3b48addf6f9cd00fe274ec3bd14650eb: fix(binding): improve empty slice/array handling in form binding (#4380) (@​1911860538)
  • 9914178584e42458ff7d23891463a880f58c9d86: fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472) (@​Nurysso)
  • 2a794cd0b0faa7d829291375b27a3467ea972b0d: fix(debug): version mismatch (#4403) (@​zeek0x)
  • c3d5a28ed6d3849da820195b6774d212bcc038a9: fix(gin): close os.File in RunFd to prevent resource leak (#4422) (@​1911860538)
  • 5fad976b372e381312f8de69f0969f1284d229d3: fix(gin): literal colon routes not working with engine.Handler() (#4415) (@​pawannn)
  • 63dd3e60cab89c27fb66bce1423bd268d52abad1: fix(recover): suppress http.ErrAbortHandler in recover (#4336) (@​MondayCha)
  • 5c00df8afadd06cc5be530dde00fe6d9fa4a2e4a: fix(render): write content length in Data.Render (#4206) (@​dengaleev)
  • 234a6d4c00cb77af9852aca0b8289745d5529b4b: fix(response): refine hijack behavior for response lifecycle (#4373) (@​appleboy)
  • 472d086af2acd924cb4b9d7be0525f7d790f69bc: fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535) (@​veeceey)
  • 8e07d37c63e5536eb25f4af4c91eabeee4011fba: fix: Correct typos, improve documentation clarity, and remove dead code (#4511) (@​mahanadh)

Enhancements

  • ba093d19477b896ac89a7fc3246af23d290b8e26: chore(binding): upgrade bson dependency to mongo-driver v2 (#4549) (@​BobDu)
  • b2b489dbf4826c2c630717a77fd5e42774625410: chore(context): always trust xff headers from unix socket (#3359) (@​WeidiDeng)
  • ecb3f7b5e2f3915bf1db240ed5eee572f8dbea36: chore(deps): upgrade golang.org/x/crypto to v0.45.0 (#4449) (@​appleboy)
  • af6e8b70b8261bb0c99ad094fe552ab92991620a: chore(deps): upgrade quic-go to v0.57.1 (@​appleboy)
  • db309081bc5c137b2aa15701ef53f7f19788da25: chore(logger): allow skipping query string output (#4547) (@​USA-RedDragon)
  • 26c3a628655cad2388380cb8102d6ce7d4875f3b: chore(response): prevent Flush() panic when http.Flusher (#4479) (@​Twacqwq)
  • 5dd833f1f26de0eb30eae47b17e05ced2482dc41: chore: bump minimum Go version to 1.24 and update workflows (#4388) (@​appleboy)

Refactor

  • 39858a0859c914bd26948fa950477e11bd8d3823: refactor(binding): use maps.Copy for cleaner map handling (#4352) (@​russcoss)
  • c0048f645ee945c4db30593afdea10123e2c30a6: refactor(context): omit the return value names (#4395) (@​wanghaolong613)
  • 915e4c90d28ec4cffc6eb146e208ab5a65eac772: refactor(context): replace hardcoded localhost IPs with constants (#4481) (@​pauloappbr)
  • 414de60574449457f3192a7a1d5528940db2836d: refactor(context): using maps.Clone (#4333) (@​cuiweixie)
  • 59e9d4a794f12c4f9a6c7bed441b9644e5f6d99b: refactor(ginS): use sync.OnceValue to simplify engine function (#4314) (@​1911860538)
  • 3ab698dc5110af1977d57226e4995c57dd34c233: refactor(recovery): smart error comparison (#4142) (@​zeek0x)
  • d1a15347b1e45a8ee816193d3578a93bfd73b70f: refactor(utils): move util functions to utils.go (#4467) (@​zeek0x)
  • e3118cc378d263454098924ebbde7e8d1dd2e904: refactor: for loop can be modernized using range over int (#4392) (@​wanghaolong613)
  • 488f8c3ffa579a8d19beb2bae95ff8ef36b3d53f: refactor: replace magic numbers with named constants in bodyAllowedForStatus (#4529) (@​veeceey)
  • 9968c4bf9d5a99edc3eee2c068a4c9160ece8915: refactor: use b.Loop() to simplify the code and improve performance (#4389) (@​reddaisyy)
  • a85ef5ce4d0cda8834c59c855068ed48b51192d1: refactor: use b.Loop() to simplify the code and improve performance (#4432) (@​efcking)

Build process updates

  • 61b67de522a189b568aced4c5c16917c558e3387: ci(bot): increase frequency and group updates for dependencies (#4367) (@​appleboy)
  • fb27ef26c2fdfe25344b4c039d8a53551f9e912c: ci(lint): refactor test assertions and linter configuration (#4436) (@​appleboy)
  • 93ff771e6dbf10e432864b30f3719ac5c84a4d4a: ci(sec): improve type safety and server organization in HTTP middleware (#4437) (@​appleboy)
  • e88fc8927a52b74f55bec0351604a56ac0aa1c51: ci(sec): schedule Trivy security scans to run daily at midnight UTC (#4439) (@​appleboy)
  • 5e5ff3ace496a31b138b0820136a146bfb5de0ef: ci: replace vulnerability scanning workflow with Trivy integration (#4421) (@​appleboy)
  • 00900fb3e1ea9dde33985a0e4f6afec793d5e786: ci: update CI workflows and standardize Trivy config quotes (#4531) (@​appleboy)
  • ae3f524974fc4f55d18c9e7fae4614503c015226: ci: update Go version support to 1.25+ across CI and docs (#4550) (@​appleboy)

... (truncated)

Changelog

Sourced from github.com/gin-gonic/gin's changelog.

Gin v1.12.0

Features

  • feat(render): add bson protocol (#4145)
  • feat(context): add GetError and GetErrorSlice methods for error retrieval (#4502)
  • feat(binding): add support for encoding.UnmarshalText in uri/query binding (#4203)
  • feat(gin): add option to use escaped path (#4420)
  • feat(context): add Protocol Buffers support to content negotiation (#4423)
  • feat(context): implemented Delete method (#38e7651)
  • feat(logger): color latency (#4146)

Enhancements

  • perf(tree): reduce allocations in findCaseInsensitivePath (#4417)
  • perf(recovery): optimize line reading in stack function (#4466)
  • perf(path): replace regex with custom functions in redirectTrailingSlash (#4414)
  • perf(tree): optimize path parsing using strings.Count (#4246)
  • chore(logger): allow skipping query string output (#4547)
  • chore(context): always trust xff headers from unix socket (#3359)
  • chore(response): prevent Flush() panic when the underlying ResponseWriter does not implement http.Flusher (#4479)
  • refactor(recovery): smart error comparison (#4142)
  • refactor(context): replace hardcoded localhost IPs with constants (#4481)
  • refactor(utils): move util functions to utils.go (#4467)
  • refactor(binding): use maps.Copy for cleaner map handling (#4352)
  • refactor(context): using maps.Clone (#4333)
  • refactor(ginS): use sync.OnceValue to simplify engine function (#4314)
  • refactor: replace magic numbers with named constants in bodyAllowedForStatus (#4529)
  • refactor: for loop can be modernized using range over int (#4392)

Bug Fixes

  • fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535)
  • fix(render): write content length in Data.Render (#4206)
  • fix(context): ClientIP handling for multiple X-Forwarded-For header values (#4472)
  • fix(binding): empty value error (#2169)
  • fix(recover): suppress http.ErrAbortHandler in recover (#4336)
  • fix(gin): literal colon routes not working with engine.Handler() (#4415)
  • fix(gin): close os.File in RunFd to prevent resource leak (#4422)
  • fix(response): refine hijack behavior for response lifecycle (#4373)
  • fix(binding): improve empty slice/array handling in form binding (#4380)
  • fix(debug): version mismatch (#4403)
  • fix: correct typos, improve documentation clarity, and remove dead code (#4511)

Build process updates / CI

  • ci: update Go version support to 1.25+ across CI and docs (#4550)
  • chore(binding): upgrade bson dependency to mongo-driver v2 (#4549)

Gin v1.11.0

... (truncated)

Commits
  • 73726dc docs: update documentation to reflect Go version changes (#4552)
  • e292e5c docs: document and finalize Gin v1.12.0 release (#4551)
  • ae3f524 ci: update Go version support to 1.25+ across CI and docs (#4550)
  • 38534e2 chore(deps): bump golang.org/x/net from 0.50.0 to 0.51.0 (#4548)
  • 472d086 fix(tree): panic in findCaseInsensitivePathRec with RedirectFixedPath (#4535)
  • fb25834 test(context): use http.StatusContinue constant instead of magic number 100 (...
  • 6f1d5fe test(render): add comprehensive error handling tests (#4541)
  • 5c00df8 fix(render): write content length in Data.Render (#4206)
  • db30908 chore(logger): allow skipping query string output (#4547)
  • ba093d1 chore(binding): upgrade bson dependency to mongo-driver v2 (#4549)
  • Additional commits viewable in compare view

Updates google.golang.org/grpc from 1.66.0 to 1.81.1

Release notes

Sourced from google.golang.org/grpc's releases.

Release 1.81.1

Security

  • xds/rbac: Fix a potential authorization bypass caused by incorrectly falling through URI/DNS SANs to Subject Distinguished Name (DN) when matching the authenticated principal name. With this fix, only the first non-empty identity source will be used, as per gRFC A41. (#9111)

Bug Fixes

  • otel: Segregate client and server RPC information used for metrics and traces, to avoid one overwriting the other. (#9081)

Release 1.81.0

Behavior Changes

  • balancer/rls: Switch gauge metrics to asynchronous emission (once per collection cycle) to reduce telemetry noise and align with other gRPC language implementations. (#8808)

Dependencies

  • Minimum supported Go version is now 1.25. (#8969)

Bug Fixes

  • xds: Use the leaf cluster's security config for the TLS handshake instead of the aggregate cluster's config. (#8956)
  • transport: Send a RST_STREAM when receiving an END_STREAM when the stream is not already half-closed. (#8832)
  • xds: Fix ADS resource name validation to prevent a panic. (#8970)

New Features

  • grpc/stats: Add support for custom labels in per-call metrics (gRFC A108). (#9008)
  • xds: Add support for Server Name Indication (SNI) and SAN validation (gRFC A101). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_SNI=true environment variable. (#9016)
  • xds: Add support to control which fields get propagated from ORCA backend metric reports to LRS load reports (gRFC A85). Disabled by default. To enable, set GRPC_EXPERIMENTAL_XDS_ORCA_LRS_PROPAGATION=true. (#9005)
  • xds: Add metrics to track xDS client connectivity and cached resource state (gRFC A78). (#8807)
  • stats/otel: Enhance grpc.subchannel.disconnections metric by adding disconnection reason to the grpc.disconnect_error label (gRFC A94). This provides granular insights into why subchannels are closing. (#8973)
  • mem: Add mem.Buffer.Slice() API to slice the buffer like a slice. (#8977)

Performance Improvements

  • alts: Pool read buffers to lower memory utilization when sockets are unreadable. (#8964)
  • transport: Pool HTTP/2 framer read buffers to reduce idle memory consumption. Currently limited to Linux for ALTS and non-encrypted transports (TCP, Unix). To disable, set GRPC_GO_EXPERIMENTAL_HTTP_FRAMER_READ_BUFFER_POOLING=false and report any issues. (#9032)

Release 1.80.0

Behavior Changes

  • balancer: log a warning if a balancer is registered with uppercase letters, as balancer names should be lowercase. In a future release, balancer names will be treated as case-insensitive; see #5288 for details. (#8837)
  • xds: update resource error handling and re-resolution logic (#8907)
    • Re-resolve all LOGICAL_DNS clusters simultaneously when re-resolution is requested.
    • Fail all in-flight RPCs immediately upon receipt of listener or route resource errors, instead of allowing them to complete.

Bug Fixes

... (truncated)

Commits

Updates github.com/coder/websocket from 1.8.12 to 1.8.15

Release notes

Sourced from github.com/coder/websocket's releases.

v1.8.15

Changes

New Contributors

Full Changelog: coder/websocket@v1.8.14...v1.8.15

v1.8.14

Changes

New Contributors

Full Changelog: coder/websocket@v1.8.13...v1.8.14

v1.8.13

Changes

... (truncated)

Commits
  • 9c8faad conn: skip timeout callbacks for background contexts (#566)
  • 7039364 avoid per-frame cleanup closures on read to remove 2 allocs per frame read (#...
  • d099e16 docs: fix roadmap links (#558)
  • c98e9dc docs: fix lint issue (#557)
  • 39b7b07 docs: remove mention of resolved issue in README (#556)
  • 9f473ad docs: add document for AI agents (AGENTS.md) (#547)
  • 8d3545a fix: transmit in single frame when compression enabled (#552)
  • 8bf6dd2 chore: fix typo in Accept function (#544)
  • 7d7c644 refactor: add ErrMessageTooBig sentinel error for limited reads (#535)
  • c7846ea refactor: use context.AfterFunc to track timeouts instead of goroutine (#532)
  • Additional commits viewable in compare view

Updates github.com/redis/go-redis/v9 from 9.7.0 to 9.21.0

Release notes

Sourced from github.com/redis/go-redis/v9's releases.

9.21.0

This is a minor release adding new features and bug fixes. There are no breaking changes; upgrading from 9.20.x is a drop-in replacement.

🚀 Highlights

Zero-copy GetToBuffer / SetFromBuffer

Two new StringCmdable methods let callers read and write Redis string values directly into and from pre-allocated byte buffers, eliminating the per-call payload allocation that Get/Set incur:

GetToBuffer(ctx, key, buf) *ZeroCopyStringCmd   // reads into buf; ZeroCopyStringCmd { Val() int; Bytes() []byte; Result() (int, error) }
SetFromBuffer(ctx, key, buf) *StatusCmd

GetToBuffer decodes the bulk reply straight into the caller-owned buf (no intermediate allocation); a buffer that is too small returns an error after draining the payload, so the connection stays aligned for the next reply. SetFromBuffer is provided for API symmetry — it dispatches to the same []byte writer path as Set(ctx, key, buf, 0) and produces byte-identical output on the wire. Available on *Client, *ClusterClient, *Ring, *Conn and Pipeliner.

(#3834) by @​ndyakov

Explicit LIMIT 0 for stream trimming

Redis treats XTRIM/XADD approximate-trim (~) LIMIT 0 as "disable the trimming effort cap entirely", which differs from omitting LIMIT (the implicit 100 * stream-node-max-entries default). The command builders previously only emitted LIMIT when limit > 0, so callers could never send an explicit LIMIT 0. Following the KeepTTL = -1 precedent, the new XTrimLimitDisabled = -1 sentinel now emits an explicit LIMIT 0; limit == 0 keeps the historical no-LIMIT behavior, so existing callers produce byte-identical commands.

(#3848) by @​TheRealMal

✨ New Features

  • Zero-copy buffer string commands: new GetToBuffer / SetFromBuffer on StringCmdable and the ZeroCopyStringCmd result type, reading/writing string values into caller-owned buffers without per-call payload allocation (#3834) by @​ndyakov
  • XTrimLimitDisabled sentinel: XTRIM/XADD approximate trimming can now send an explicit LIMIT 0 to disable the trim effort cap, via the new XTrimLimitDisabled = -1 sentinel (#3848) by @​TheRealMal
  • PubSub health-check timeouts: channel.initHealthCheck now bounds the Ping it issues with a fresh per-check timeout context (the exported pingTimeout / reconnectTimeout) instead of context.TODO(), so a stuck health-check Ping can no longer block indefinitely (#3819) by @​abdellani
  • Skip redundant UNWATCH in Tx.Close: a transaction now tracks whether a WATCH is still active (watchArmed) and only issues UNWATCH on Close when it is, removing an extra round trip on the common WATCH/.../EXEC and no-key Watch paths while never returning a connection to the pool with an active watch (#3854) by @​fcostaoliveira

🐛 Bug Fixes

  • maintnotifications ModeAuto fail-open: ModeAuto now stays fail-open when the server does not support maintenance notifications — connections are retired and tracking is guarded during downgrade so the client keeps working instead of erroring (#3853) by @​terrorobe

👥 Contributors

We'd like to thank all the contributors who worked on this release!

@​abdellani, @​fcostaoliveira, @​ndyakov, @​terrorobe, @​TheRealMal

9.20.1

This is a patch release containing bug fixes only. There are no new features or breaking changes; upgrading from 9.20.0 is a drop-in replacement.

🚀 Highlights

RESP3 pub/sub message loss fixed

PeekPushNotificationName previously inspected only the bytes already buffered by bufio, so when a push frame header straddled a buffer fill boundary it could return a truncated notification name (e.g. "messa" instead of "message"). The push processor then mis-routed the frame and ReadReply silently dropped it, causing intermittent RESP3 pub/sub message loss. The peek now grows its window (36 bytes → up to 4 KiB) and reads more from the connection until the header is complete, cleanly separating incomplete prefixes from corrupt frames (including overflow-safe bulk-length handling). Fixes #3839.

... (truncated)

Changelog

Sourced from github.com/redis/go-redis/v9's changelog.

9.21.0 (2026-06-18)

This is a minor release adding new features and bug fixes. There are no breaking changes; upgrading from 9.20.x is a drop-in replacement.

🚀 Highlights

Zero-copy GetToBuffer / SetFromBuffer

Two new StringCmdable methods let callers read and write Redis string values directly into and from pre-allocated byte buffers, eliminating the per-call payload allocation that Get/Set incur:

GetToBuffer(ctx, key, buf) *ZeroCopyStringCmd   // reads into buf; ZeroCopyStringCmd { Val() int; Bytes() []byte; Result() (int, error) }
SetFromBuffer(ctx, key, buf) *StatusCmd

GetToBuffer decodes the bulk reply straight into the caller-owned buf (no intermediate allocation); a buffer that is too small returns an error after draining the payload, so the connection stays aligned for the next reply. SetFromBuffer is provided for API symmetry — it dispatches to the same []byte writer path as Set(ctx, key, buf, 0) and produces byte-identical output on the wire. Available on *Client, *ClusterClient, *Ring, *Conn and Pipeliner.

(#3834) by @​ndyakov

Explicit LIMIT 0 for stream trimming

Redis treats XTRIM/XADD approximate-trim (~) LIMIT 0 as "disable the trimming effort cap entirely", which differs from omitting LIMIT (the implicit 100 * stream-node-max-entries default). The command builders previously only emitted LIMIT when limit > 0, so callers could never send an explicit LIMIT 0. Following the KeepTTL = -1 precedent, the new XTrimLimitDisabled = -1 sentinel now emits an explicit LIMIT 0; limit == 0 keeps the historical no-LIMIT behavior, so existing callers produce byte-identical commands.

(#3848) by @​TheRealMal

✨ New Features

  • Zero-copy buffer string commands: new GetToBuffer / SetFromBuffer on StringCmdable and the ZeroCopyStringCmd result type, reading/writing string values into caller-owned buffers without per-call payload allocation (#3834) by @​ndyakov
  • XTrimLimitDisabled sentinel: XTRIM/XADD approximate trimming can now send an explicit LIMIT 0 to disable the trim effort cap, via the new XTrimLimitDisabled = -1 sentinel (#3848) by @​TheRealMal
  • PubSub health-check timeouts: channel.initHealthCheck now bounds the Ping it issues with a fresh per-check timeout context (the exported pingTimeout / reconnectTimeout) instead of context.TODO(), so a stuck health-check Ping can no longer block indefinitely (#3819) by @​abdellani
  • Skip redundant UNWATCH in Tx.Close: a transaction now tracks whether a WATCH is still active (watchArmed) and only issues UNWATCH on Close when it is, removing an extra round trip on the common WATCH/.../EXEC and no-key Watch paths while never returning a connection to the pool with an active watch (#3854) by @​fcostaoliveira

🐛 Bug Fixes

  • maintnotifications ModeAuto fail-open: ModeAuto now stays fail-open when the server does not support maintenance notifications — connections are retired and tracking is guarded during downgrade so the client keeps working instead of erroring (#3853) by @​terrorobe

👥 Contributors

We'd like to thank all the contributors who worked on this release!

@​abdellani, @​fcostaoliveira, @​ndyakov, @​terrorobe, @​TheRealMal


Full Changelog: redis/go-redis@v9.20.1...v9.21.0

9.20.1 (2026-06-11)

This is a patch release containing bug fixes only. There are no new features or breaking changes; upgrading from 9.20.0 is a drop-in replacement.

... (truncated)

Commits
  • 1551837 chore(release): 9.21.0 (#3857)
  • 1cfa927 fix(maintnotifications): keep ModeAuto fail-open (#3853)
  • 1f0ea0e feat(pubsub): introduce timeouts for Ping on channel.initHealthCheck (#3819)
  • 5484b0b feat(tx): skip redundant UNWATCH in Tx.Close when no WATCH is active (#3854)
  • bf57a51 chore(deps): bump rojopolis/spellcheck-github-actions (#3852)
  • 641294c feat(streams): support explicit LIMIT 0 in XTRIM/XADD trimming via XTrimLimit...
  • 74d9bb0 feat(command): add zero-copy GetToBuffer and SetFromBuffer (#3834)
  • a13416b chore(release): 9.20.1 (#3847)
  • 10dc44f fix(push): fix peeking when push name is truncated (#3842)
  • e1a2d68 fix(ft.hybrid): Always generate vector param names if they are not provided b...
  • Additional commits viewable in compare view

Updates github.com/go-chi/chi/v5 from 5.1.0 to 5.3.0

Release notes

Sourced from github.com/go-chi/chi/v5's releases.

v5.3.0

What's Changed

New Contributors

SECURITY: middleware.ClientIP, a replacement for middleware.RealIP

@​VojtechVitek submitted PR #967, which introduces middleware.ClientIP — a replacement for middleware.RealIP that closes the three open spoofing advisories:

It also addresses issues outlined at:

middleware.RealIP is deprecated in this PR with pointers to the new API.

The deprecation only adds a // Deprecated: doc comment; the function keeps working for backward compatibility.

Why a new middleware (not "fix RealIP in place")

RealIP has two unfixable design choices: it mutates r.RemoteAddr, and it tries to be a one-size-fits-all default by walking a hard-coded list of headers any client can supply. Per adam-p's "The perils of the 'real' client IP" (which calls chi out by name on this), there is no safe default — the user must pick their trust source explicitly.

The new API

Four middlewares, two accessors. Pick exactly one middleware based on your infrastructure, read the result with one of the two accessors:

// One of the four. There is no safe default — pick exactly one.
func ClientIPFromHeader(trustedHeader string) func(http.Handler) http.Handler
func ClientIPFromXFF(trustedIPPrefixes ...string) func(http.Handler) http.Handler
func ClientIPFromXFFTrustedProxies(numTrustedProxies int) func(http.Handler) http.Handler
</tr></table> 

... (truncated)

Commits

Updates github.com/labstack/echo/v4 from 4.12.0 to 4.15.4

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.4

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.


Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txthello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.4 - 2026-06-15

Security

Fixes

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 24, 2026
@dependabot
dependabot Bot force-pushed the dependabot/go_modules/go-deps-df154eee13 branch 2 times, most recently from 14409cb to 0b637d0 Compare June 24, 2026 12:52
…pdates

Bumps the go-deps group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/gin-gonic/gin](https://github.com/gin-gonic/gin) | `1.10.0` | `1.12.0` |
| [google.golang.org/grpc](https://github.com/grpc/grpc-go) | `1.66.0` | `1.81.1` |
| [github.com/coder/websocket](https://github.com/coder/websocket) | `1.8.12` | `1.8.15` |
| [github.com/redis/go-redis/v9](https://github.com/redis/go-redis) | `9.7.0` | `9.21.0` |
| [github.com/go-chi/chi/v5](https://github.com/go-chi/chi) | `5.1.0` | `5.3.0` |
| [github.com/labstack/echo/v4](https://github.com/labstack/echo) | `4.12.0` | `4.15.4` |
| [github.com/gofiber/fiber/v2](https://github.com/gofiber/fiber) | `2.52.4` | `2.52.13` |



Updates `github.com/gin-gonic/gin` from 1.10.0 to 1.12.0
- [Release notes](https://github.com/gin-gonic/gin/releases)
- [Changelog](https://github.com/gin-gonic/gin/blob/master/CHANGELOG.md)
- [Commits](gin-gonic/gin@v1.10.0...v1.12.0)

Updates `google.golang.org/grpc` from 1.66.0 to 1.81.1
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](grpc/grpc-go@v1.66.0...v1.81.1)

Updates `github.com/coder/websocket` from 1.8.12 to 1.8.15
- [Release notes](https://github.com/coder/websocket/releases)
- [Commits](coder/websocket@v1.8.12...v1.8.15)

Updates `github.com/redis/go-redis/v9` from 9.7.0 to 9.21.0
- [Release notes](https://github.com/redis/go-redis/releases)
- [Changelog](https://github.com/redis/go-redis/blob/master/RELEASE-NOTES.md)
- [Commits](redis/go-redis@v9.7.0...v9.21.0)

Updates `github.com/go-chi/chi/v5` from 5.1.0 to 5.3.0
- [Release notes](https://github.com/go-chi/chi/releases)
- [Changelog](https://github.com/go-chi/chi/blob/master/CHANGELOG.md)
- [Commits](go-chi/chi@v5.1.0...v5.3.0)

Updates `github.com/labstack/echo/v4` from 4.12.0 to 4.15.4
- [Release notes](https://github.com/labstack/echo/releases)
- [Changelog](https://github.com/labstack/echo/blob/v4.15.4/CHANGELOG.md)
- [Commits](labstack/echo@v4.12.0...v4.15.4)

Updates `github.com/gofiber/fiber/v2` from 2.52.4 to 2.52.13
- [Release notes](https://github.com/gofiber/fiber/releases)
- [Commits](gofiber/fiber@v2.52.4...v2.52.13)

---
updated-dependencies:
- dependency-name: github.com/coder/websocket
  dependency-version: 1.8.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: github.com/gin-gonic/gin
  dependency-version: 1.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: github.com/go-chi/chi/v5
  dependency-version: 5.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: github.com/gofiber/fiber/v2
  dependency-version: 2.52.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go-deps
- dependency-name: github.com/labstack/echo/v4
  dependency-version: 4.15.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: github.com/redis/go-redis/v9
  dependency-version: 9.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
- dependency-name: google.golang.org/grpc
  dependency-version: 1.81.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/go_modules/go-deps-df154eee13 branch from 0b637d0 to 5c66e68 Compare June 24, 2026 13:07
@dependabot @github

dependabot Bot commented on behalf of github Jun 25, 2026

Copy link
Copy Markdown
Author

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 25, 2026
@dependabot
dependabot Bot deleted the dependabot/go_modules/go-deps-df154eee13 branch June 25, 2026 03:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants