[PR #2252] [MERGED] chore(deps): bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 #4012

New Issue

Closed

opened 2026-03-22 14:58:46 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-03-22 14:58:46 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/go-vikunja/vikunja/pull/2252
Author: @dependabot[bot]
Created: 2/17/2026
Status: ✅ Merged
Merged: 2/17/2026
Merged by: @kolaente

Base: main ← Head: dependabot/go_modules/github.com/labstack/echo/v5-5.0.3

---

📝 Commits (1)

• 39bc41e chore(deps): bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3

📊 Changes

2 files changed (+3 additions, -3 deletions)

View changed files

📝 go.mod (+1 -1)
📝 go.sum (+2 -2)

📄 Description

Bumps github.com/labstack/echo/v5 from 5.0.0 to 5.0.3.

Release notes

Sourced from github.com/labstack/echo/v5's releases.

v5.0.3 security (static middleware directory traversal under Windows)

Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @​shblue21 (labstack/echo#2891).

This applies to cases when:

• Windows is used as OS
• middleware.StaticConfig.Filesystem is nil (default)
• echo.Filesystem is has not been set explicitly (default)

Full Changelog: https://github.com/labstack/echo/compare/v5.0.2...v5.0.3

v5.0.2 security (static middleware folder browsing)

Security

• Fix Static middleware when folder browsing is enabled (config.Browse=true , defaults to false) lists all files/subfolders from config.Filesystem root folder and not starting from config.Root and requested folder in labstack/echo#2887 . Reported by @​shblue21 in labstack/echo#2886

Full Changelog: https://github.com/labstack/echo/compare/v5.0.1...v5.0.2

v5.0.1 small fixes

What's Changed

• Panic MW: will now return a custom PanicStackError with stack trace by @​aldas in labstack/echo#2871
• Docs: add missing err parameter to DenyHandler example by @​cgalibern in labstack/echo#2878
• Context: improve websocket checks in IsWebSocket() [per RFC 6455] by @​raju-mechatronics in labstack/echo#2875
• Fix: Context.Json() should not send status code before serialization is complete by @​aldas in labstack/echo#2877

New Contributors

• @​cgalibern made their first contribution in labstack/echo#2878
• @​raju-mechatronics made their first contribution in labstack/echo#2875

Full Changelog: https://github.com/labstack/echo/compare/v5.0.0...v5.0.1

Changelog

Sourced from github.com/labstack/echo/v5's changelog.

v5.0.3 - 2026-02-06

Security

• Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @​shblue21.

This applies to cases when:

• Windows is used as OS
• middleware.StaticConfig.Filesystem is nil (default)
• echo.Filesystem is has not been set explicitly (default)

Exposure is restricted to the active process working directory and its subfolders.

v5.0.2 - 2026-02-02

Security

• Fix Static middleware with config.Browse=true lists all files/subfolders from config.Filesystem root and not starting from config.Root in labstack/echo#2887

v5.0.1 - 2026-01-28

• Panic MW: will now return a custom PanicStackError with stack trace by @​aldas in labstack/echo#2871
• Docs: add missing err parameter to DenyHandler example by @​cgalibern in labstack/echo#2878
• improve: improve websocket checks in IsWebSocket() [per RFC 6455] by @​raju-mechatronics in labstack/echo#2875
• fix: Context.Json() should not send status code before serialization is complete by @​aldas in labstack/echo#2877

Commits

• b1d4430 Merge pull request #2891 from aldas/fix_staticmw
• 48f25a6 Fix test reporting different size due Windows / Linux line ending inconsisten...
• 6c16259 Fix directory traversal vulnerability under Windows in Static middleware when...
• 88d975a Fix directory traversal vulnerability under Windows in Static middleware when...
• 09ccfba Fill c.Request().Pattern field with route path to help standard library based...
• 68aaf3a Changelog for version 5.0.2
• 26ec148 security (static middleware): fix bowser=true listing all file names from giv...
• ba10490 Merge pull request #2880 from aldas/changelog_501
• 0954d6e Changelog for v5.0.1 release
• 8e4c91f Create SECURITY.md
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/go-vikunja/vikunja/pull/2252 **Author:** [@dependabot[bot]](https://github.com/apps/dependabot) **Created:** 2/17/2026 **Status:** ✅ Merged **Merged:** 2/17/2026 **Merged by:** [@kolaente](https://github.com/kolaente) **Base:** `main` ← **Head:** `dependabot/go_modules/github.com/labstack/echo/v5-5.0.3` --- ### 📝 Commits (1) - [`39bc41e`](https://github.com/go-vikunja/vikunja/commit/39bc41efd654ea5b753fa4133c91d599565e4fc0) chore(deps): bump github.com/labstack/echo/v5 from 5.0.0 to 5.0.3 ### 📊 Changes **2 files changed** (+3 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `go.mod` (+1 -1) 📝 `go.sum` (+2 -2) </details> ### 📄 Description Bumps [github.com/labstack/echo/v5](https://github.com/labstack/echo) from 5.0.0 to 5.0.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/labstack/echo/releases">github.com/labstack/echo/v5's releases</a>.</em></p> <blockquote> <h2>v5.0.3 security (static middleware directory traversal under Windows)</h2> <p>Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by <a href="https://github.com/shblue21"><code>@​shblue21</code></a> (<a href="https://redirect.github.com/labstack/echo/pull/2891">labstack/echo#2891</a>).</p> <p>This applies to cases when:</p> <ul> <li>Windows is used as OS</li> <li><code>middleware.StaticConfig.Filesystem</code> is <code>nil</code> (default)</li> <li><code>echo.Filesystem</code> is has not been set explicitly (default)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/labstack/echo/compare/v5.0.2...v5.0.3">https://github.com/labstack/echo/compare/v5.0.2...v5.0.3</a></p> <h2>v5.0.2 security (static middleware folder browsing)</h2> <p><strong>Security</strong></p> <ul> <li>Fix Static middleware when folder browsing is enabled (<code>config.Browse=true</code> , defaults to <code>false</code>) lists all files/subfolders from <code>config.Filesystem</code> root folder and not starting from <code>config.Root</code> and requested folder in <a href="https://redirect.github.com/labstack/echo/pull/2887">labstack/echo#2887</a> . Reported by <a href="https://github.com/shblue21"><code>@​shblue21</code></a> in <a href="https://redirect.github.com/labstack/echo/issues/2886">labstack/echo#2886</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/labstack/echo/compare/v5.0.1...v5.0.2">https://github.com/labstack/echo/compare/v5.0.1...v5.0.2</a></p> <h2>v5.0.1 small fixes</h2> <h2>What's Changed</h2> <ul> <li>Panic MW: will now return a custom PanicStackError with stack trace by <a href="https://github.com/aldas"><code>@​aldas</code></a> in <a href="https://redirect.github.com/labstack/echo/pull/2871">labstack/echo#2871</a></li> <li>Docs: add missing err parameter to DenyHandler example by <a href="https://github.com/cgalibern"><code>@​cgalibern</code></a> in <a href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li> <li>Context: improve websocket checks in IsWebSocket() [per RFC 6455] by <a href="https://github.com/raju-mechatronics"><code>@​raju-mechatronics</code></a> in <a href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li> <li>Fix: Context.Json() should not send status code before serialization is complete by <a href="https://github.com/aldas"><code>@​aldas</code></a> in <a href="https://redirect.github.com/labstack/echo/pull/2877">labstack/echo#2877</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/cgalibern"><code>@​cgalibern</code></a> made their first contribution in <a href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li> <li><a href="https://github.com/raju-mechatronics"><code>@​raju-mechatronics</code></a> made their first contribution in <a href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/labstack/echo/compare/v5.0.0...v5.0.1">https://github.com/labstack/echo/compare/v5.0.0...v5.0.1</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/labstack/echo/blob/master/CHANGELOG.md">github.com/labstack/echo/v5's changelog</a>.</em></p> <blockquote> <h2>v5.0.3 - 2026-02-06</h2> <p><strong>Security</strong></p> <ul> <li>Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by <a href="https://github.com/shblue21"><code>@​shblue21</code></a>.</li> </ul> <p>This applies to cases when:</p> <ul> <li>Windows is used as OS</li> <li><code>middleware.StaticConfig.Filesystem</code> is <code>nil</code> (default)</li> <li><code>echo.Filesystem</code> is has not been set explicitly (default)</li> </ul> <p>Exposure is restricted to the active process working directory and its subfolders.</p> <h2>v5.0.2 - 2026-02-02</h2> <p><strong>Security</strong></p> <ul> <li>Fix Static middleware with <code>config.Browse=true</code> lists all files/subfolders from <code>config.Filesystem</code> root and not starting from <code>config.Root</code> in <a href="https://redirect.github.com/labstack/echo/pull/2887">labstack/echo#2887</a></li> </ul> <h2>v5.0.1 - 2026-01-28</h2> <ul> <li>Panic MW: will now return a custom PanicStackError with stack trace by <a href="https://github.com/aldas"><code>@​aldas</code></a> in <a href="https://redirect.github.com/labstack/echo/pull/2871">labstack/echo#2871</a></li> <li>Docs: add missing err parameter to DenyHandler example by <a href="https://github.com/cgalibern"><code>@​cgalibern</code></a> in <a href="https://redirect.github.com/labstack/echo/pull/2878">labstack/echo#2878</a></li> <li>improve: improve websocket checks in IsWebSocket() [per RFC 6455] by <a href="https://github.com/raju-mechatronics"><code>@​raju-mechatronics</code></a> in <a href="https://redirect.github.com/labstack/echo/pull/2875">labstack/echo#2875</a></li> <li>fix: Context.Json() should not send status code before serialization is complete by <a href="https://github.com/aldas"><code>@​aldas</code></a> in <a href="https://redirect.github.com/labstack/echo/pull/2877">labstack/echo#2877</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/labstack/echo/commit/b1d443086ea27cf51345ec72a71e9b7e9d9ce5f1"><code>b1d4430</code></a> Merge pull request <a href="https://redirect.github.com/labstack/echo/issues/2891">#2891</a> from aldas/fix_staticmw</li> <li><a href="https://github.com/labstack/echo/commit/48f25a6c16273b2ef34b292c71cfd0593577e5d1"><code>48f25a6</code></a> Fix test reporting different size due Windows / Linux line ending inconsisten...</li> <li><a href="https://github.com/labstack/echo/commit/6c162596b43157c8a4d6c7d88a7db9f45be95ef2"><code>6c16259</code></a> Fix directory traversal vulnerability under Windows in Static middleware when...</li> <li><a href="https://github.com/labstack/echo/commit/88d975a83de6a8cdf233512cfcf7c9295c91c778"><code>88d975a</code></a> Fix directory traversal vulnerability under Windows in Static middleware when...</li> <li><a href="https://github.com/labstack/echo/commit/09ccfbaace93a36bef8f494348d13d86dc327ea4"><code>09ccfba</code></a> Fill c.Request().Pattern field with route path to help standard library based...</li> <li><a href="https://github.com/labstack/echo/commit/68aaf3a429387519a3dece617b8f0e5956d0dc6a"><code>68aaf3a</code></a> Changelog for version 5.0.2</li> <li><a href="https://github.com/labstack/echo/commit/26ec148ea731c2ddf55c03b1f9b776da23e27217"><code>26ec148</code></a> security (static middleware): fix bowser=true listing all file names from giv...</li> <li><a href="https://github.com/labstack/echo/commit/ba104908b9f6545d0b9d1a6695663c45cf952957"><code>ba10490</code></a> Merge pull request <a href="https://redirect.github.com/labstack/echo/issues/2880">#2880</a> from aldas/changelog_501</li> <li><a href="https://github.com/labstack/echo/commit/0954d6e36ec3a98e7244d7ebd4781eeeda97713a"><code>0954d6e</code></a> Changelog for v5.0.1 release</li> <li><a href="https://github.com/labstack/echo/commit/8e4c91f736ea7c9dc213f0ba66bc6851dc105d34"><code>8e4c91f</code></a> Create SECURITY.md</li> <li>Additional commits viewable in <a href="https://github.com/labstack/echo/compare/v5.0.0...v5.0.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/go-vikunja/vikunja/network/alerts). </details> --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-03-22 14:58:46 -05:00

GiteaMirror closed this issue 2026-03-22 14:58:47 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/dev-dependencies

feat-v2-foundation

dependabot/npm_and_yarn/frontend/axios-1.15.2

spike-huma-openapi3

claude/investigate-swagger3-support-nyyUa

feat-list-view-buckets

ci-mysql-8-test

codex/analyze-codebase-for-email-task-feature

feat-project-templates

csv-import-feature

claude/email-reply-comments-wpdcQ

fix-oidc-pkce-support

fix/overview-subtasks-expand

feat/bucket-select-task-detail

feat-soft-delete-projects

claude/review-bot-design-plan-cf5C3

claude/project-scoped-api-tokens-KTqR3

claude/explore-openclaw-integration-KQEzg

claude/project-scoped-api-tokens-yv5KS

fix-duplicate-close-button

feat-list-view-sorting

feat/official-vite-sentry-plugin

feat/highlight-overdue-tasks

feat/add-enter-key-form-submission-handling

feat/TipTap-nits

feat/update-caldavtimetotimestamp-parsing

feat-phosphor-icons

wip-plans

claude/investigate-issue-2173-llKme

fix-description-text-drag

feat-custom-keyboard-shortcuts

pr-1845-ci

codex/fix-drag-and-drop-behavior-inconsistency

copilot/add-clickable-labels-for-filtering

copilot/fix-issue-1786

playwright-migration

fix-kanban-repeating-wip

copilot/fix-1498

feature/replace-axios

codex/upgrade-to-tailwind-4.1.8-using-pnpm

codex/add-cypress-test-for-avatar-types

feature/biome

feature/oxc

codex/update-flexsearch-to-0.8.205

4r6ni9-codex/fix-deprecated-sass-@import-usage

codex/fix-deprecated-sass-@import-usage

codex/add-cypress-test-for-task-list-refresh-fix

codex/fix-quick-add-magic-not-adding-tasks

codex/fix-all-type-errors

codex/fix-mimetype-for-docs.json

feature/caldav-from-scratch

feature/gh-actions-hetzner

fix-ci

feat/new-logger

jyte-better-dev-config

feat/add-team-member-with-enter

fix/button-and-icon-types

fix/notifications-component-name-collision

feature/null-time

renovate/tailwindcss-4.x

feature/unplugin-vue-router

fix/deprecated-import

feature/zod-schema

renovate/golangci-golangci-lint-1.x

fix/tiptap-editor-reactive-destructuring

release/0.24

feat/improve-add-task

fix/saved-filter-search

feat/webp-and-avif-attachment-previews

feature/migrate-back-to-bulma

fix/sass-add-missing-list-import

feature/sticky-demo-bar

fix/gantt-view-switch

feature/typesense-position-join

feature/focus-visible

dependencies/golangci-lint

feature/better-filter-syntax

fix/tiptap-task-list

renovate/github.com-golang-jwt-jwt-v4-5.x

feature/hide-forbidden-related-tasks

renovate/golang-1.x

release/0.20

release/0.17

release/0.16

release/0.15

release/0.14

v2.3.0

v2.2.2

v2.2.1

v2.2.0

v2.1.0

v2.0.0

v1.1.0

v1.0.0

v1.0.0-rc4

v1.0.0-rc3

v1.0.0-rc2

v1.0.0-rc1

v1.0.0-rc0

v0.24.6

v0.24.5

v0.24.4

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.0

v0.22.1

v0.22.0

0.21.0

v0.21.0

v0.20.4

v0.20.5

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.2

v0.19.1

v0.19.0

vue3

v0.18.1

v0.18.0

v0.17.1

v0.17.0

v0.16.1

v0.16.0

v0.15.1

v0.15.0

v0.14.1

v0.14.0

v0.13.1

v0.13

v0.12

v0.11

v0.10

v0.9

v0.8

v0.7

v0.6

v0.5

v0.4

v0.3

v0.2

v0.1

Labels

Clear labels

area/api

area/attachments

area/auth

area/avatars

area/backup-restore

area/caldav

area/calendar-view

area/comments

area/config

area/database

area/desktop

area/docker

area/email

area/favorites

area/filters

area/frontend

area/gantt

area/i18n

area/import-export

area/internal-code

area/kanban

area/labels

area/list-view

area/mobile

area/notifications

area/permissions

area/projects

area/pwa

area/recurring-tasks

area/reminders

area/search

area/shortcuts

area/subtasks

area/sync

area/table-view

area/task-editor

area/task-metadata

area/task-relations

area/teams

area/theming

area/time-tracking

area/typesense

area/views

area/webhooks

bug

changes requested

concern/accessibility

concern/performance

concern/regression

concern/ux

confirmed

db/mysql

dependencies

enhancement

good first issue

help wanted

integration/inbound

integration/outbound

kind/bug

kind/feature

needs reproduction

pull-request

Mirrored from GitHub Pull Request

question

security

support

upstream issue

waiting for reply

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/vikunja#4012