Skip to content

chore(deps): bump the all group across 1 directory with 4 updates#365

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/master/all-b870330294
Open

chore(deps): bump the all group across 1 directory with 4 updates#365
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/go_modules/master/all-b870330294

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the all group with 4 updates in the / directory: github.com/labstack/echo/v4, github.com/mattn/go-runewidth, go.etcd.io/bbolt and oras.land/oras-go/v2.

Updates github.com/labstack/echo/v4 from 4.15.2 to 4.15.4

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.4

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.


Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txthello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.4 - 2026-06-15

Security

Fixes GHSA-vfp3-v2gw-7wfq

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txthello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

v4.15.3 - 2026-06-14

... (truncated)

Commits
  • ec79b58 Merge pull request #3020 from aldas/v4_v4-15-4_changelog
  • 2714c07 Changelog for v4.15.4 - security fix
  • 13f0ed1 Merge pull request #3019 from aldas/v4_backport_3016
  • d16a4ec backport PR 3016 from v4
  • 8f167b9 Merge pull request #3018 from aldas/v4_remove_v5_dep
  • 9afa4ba remove dependency on labstack/echo v5 introduced in go.mod and go.sum
  • 1e05f63 Merge pull request #3017 from aldas/v4_ci_updates
  • 11a3cc4 Update dependencies and add ignore for linting
  • 26bd016 Update CI action versions
  • aa52f6a ci: run workflows on the v4 branch, not just master (#3013)
  • Additional commits viewable in compare view

Updates github.com/mattn/go-runewidth from 0.0.23 to 0.0.24

Commits
  • 0383c20 Merge pull request #96 from mattn/optimize-eastasian-width-table
  • 37796e5 Optimize EastAsian RuneWidth with precomputed width table
  • e8dc57a Revise security policy and supported versions
  • See full diff in compare view

Updates go.etcd.io/bbolt from 1.4.3 to 1.5.0

Release notes

Sourced from go.etcd.io/bbolt's releases.

v0.5.0

See the CHANGELOG/v1.5.0 for more details.

Commits
  • e7a8b2d Merge pull request #1217 from pjsharath28/update-go-release-1.5
  • a916f11 bump go 1.25.11
  • 43ec888 Merge pull request #1212 from Elbehery/20260527_remove_maxSize_guard
  • d43321f chore(test): remove redundant MaxSize guard in TestDB_MaxSizeExceededDoesNotGrow
  • c13504d Merge pull request #1211 from ahrtr/20260526_maxsize_changelog
  • 0a8fbd9 Merge pull request #1210 from Elbehery/20260526_support_data_size_limit
  • 63896b7 Update changelog for the feature of supporting setting file size limit
  • a85b887 Reimplement the feature of support setting data file size limit
  • 443486e test: add and update tests for MaxSize and MMap behavior
  • a1f42c4 Merge pull request #1208 from etcd-io/dependabot/github_actions/golangci/gola...
  • Additional commits viewable in compare view

Updates oras.land/oras-go/v2 from 2.6.0 to 2.6.1

Release notes

Sourced from oras.land/oras-go/v2's releases.

v2.6.1

This is a security patch release addressing five advisories in the authentication, remote, and content layers, plus accumulated bug fixes and maintenance since v2.6.0.

Security Fixes

  • Drop the Authorization header on cross-origin redirects to prevent origin credentials leaking to a redirect target on a different scheme/port of the same host (GHSA-vh4v-2xq2-g5cg)
  • Validate the bearer realm host before sending credentials to prevent credential exfiltration to an attacker-controlled token service, including TLS downgrades and IP-literal metadata endpoints; adds TrustedRealmHosts (GHSA-28r5-37g7-p6mp, GHSA-xf85-363p-868w)
  • Validate the Location host before blob upload to prevent credentials being forwarded to a cross-host upload endpoint (SSRF / CWE-918) (#1152, GHSA-jxpm-75mh-9fp7)
  • Reject descriptor sizes exceeding 32 MiB in content.ReadAll to prevent a crafted OCI layout from triggering a makeslice panic and crashing the process (#1153, GHSA-f36w-mj3v-6jqv)
  • Resolve symlinks when enforcing the workingDir write boundary in content/file, blocking writes that escape the boundary via a symlinked path component when AllowPathTraversalOnWrite=false

Bug Fixes

  • graph.Memory should use digest as map key (#1095)
  • Fix credentials key for the Docker registry-1 host (#966)
  • Support an empty credentials file (#959)

Other Changes

  • Add GitOps release workflow with goreleaser (#1161)
  • Shift the Go support window to [1.24, 1.25] (#991)
  • Run go modernize (#1005)
  • Sync CODEOWNERS and OWNERS.md from main to v2 (#1122)
  • Remove scripts reference from the Makefile (#960)
  • Bump golang.org/x/sync 0.14.0 → 0.20.0 (#971, #978, #1001, #1037, #1078, #1121)
  • Bump GitHub Actions: actions/checkout 4→5 (#989), actions/setup-go 5→6 (#998), actions/stale 9→10 (#997), github/codeql-action 3→4 (#1016)
Commits
  • 47b7c80 release: v2.6.1 (#1195)
  • 3c2e884 Merge commit from fork
  • cc323e5 Merge commit from fork
  • 7a9f4b0 Merge commit from fork
  • d593d50 feat: add gitops release workflow with goreleaser (#1161)
  • 5fd67f9 fix(content): reject descriptor sizes exceeding 32 MiB in ReadAll (#1153)
  • 4683c46 fix: validate Location host before blob upload to prevent credential leak (#1...
  • 4a3e611 build(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 (#1121)
  • 00de1f0 chore: sync CODEOWNERS and OWNERS.md from main to v2 (#1122)
  • d7b6f8e fix: graph.Memory should use digest as map key (#1095)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the all group with 4 updates in the / directory: [github.com/labstack/echo/v4](https://github.com/labstack/echo), [github.com/mattn/go-runewidth](https://github.com/mattn/go-runewidth), [go.etcd.io/bbolt](https://github.com/etcd-io/bbolt) and [oras.land/oras-go/v2](https://github.com/oras-project/oras-go).


Updates `github.com/labstack/echo/v4` from 4.15.2 to 4.15.4
- [Release notes](https://github.com/labstack/echo/releases)
- [Changelog](https://github.com/labstack/echo/blob/v4.15.4/CHANGELOG.md)
- [Commits](labstack/echo@v4.15.2...v4.15.4)

Updates `github.com/mattn/go-runewidth` from 0.0.23 to 0.0.24
- [Commits](mattn/go-runewidth@v0.0.23...v0.0.24)

Updates `go.etcd.io/bbolt` from 1.4.3 to 1.5.0
- [Release notes](https://github.com/etcd-io/bbolt/releases)
- [Commits](etcd-io/bbolt@v1.4.3...v1.5.0)

Updates `oras.land/oras-go/v2` from 2.6.0 to 2.6.1
- [Release notes](https://github.com/oras-project/oras-go/releases)
- [Commits](oras-project/oras-go@v2.6.0...v2.6.1)

---
updated-dependencies:
- dependency-name: github.com/labstack/echo/v4
  dependency-version: 4.15.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: github.com/mattn/go-runewidth
  dependency-version: 0.0.24
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
- dependency-name: go.etcd.io/bbolt
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all
- dependency-name: oras.land/oras-go/v2
  dependency-version: 2.6.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants