Skip to content

chore(deps): bump github.com/labstack/echo/v4 from 4.15.2 to 4.15.3#284

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/labstack/echo/v4-4.15.3
Closed

chore(deps): bump github.com/labstack/echo/v4 from 4.15.2 to 4.15.3#284
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/github.com/labstack/echo/v4-4.15.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/labstack/echo/v4 from 4.15.2 to 4.15.3.

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.3 - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3009, released in v5.2.0). Thanks to @​a-tt-om and @​oran-gugu for reporting.

Full Changelog: labstack/echo@v4.15.2...v4.15.3

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.3 - 2026-06-14

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3009). Thanks to @​a-tt-om and @​oran-gugu for reporting.

Commits
  • 8800212 Changelog for v4.15.3 (#3012)
  • c3fa2a2 fix(static): reject encoded path separators that bypass route-level middlewar...
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump github.com/labstack/echo/v4 from 4.15.2 to 4.15.3
d23916d 
Bumps [github.com/labstack/echo/v4](https://github.com/labstack/echo) from 4.15.2 to 4.15.3.
- [Release notes](https://github.com/labstack/echo/releases)
- [Changelog](https://github.com/labstack/echo/blob/v4.15.3/CHANGELOG.md)
- [Commits](labstack/echo@v4.15.2...v4.15.3)

---
updated-dependencies:
- dependency-name: github.com/labstack/echo/v4
  dependency-version: 4.15.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jun 15, 2026
@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown

⚠️MegaLinter analysis: Success with warnings

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 4 0 0 0.05s
✅ API spectral 2 0 0 2.75s
✅ COPYPASTE jscpd yes no no 1.99s
✅ DOCKERFILE hadolint 1 0 0 0.09s
✅ GO golangci-lint yes yes no no 56.76s
✅ GO revive yes no no 1.53s
✅ MARKDOWN markdownlint 2 0 0 0 0.65s
✅ MARKDOWN markdown-table-formatter 2 0 0 0 0.29s
✅ REPOSITORY checkov yes no no 40.5s
✅ REPOSITORY gitleaks yes no no 0.41s
✅ REPOSITORY git_diff yes no no 0.01s
⚠️ REPOSITORY grype yes 13 no 79.23s
✅ REPOSITORY secretlint yes no no 0.7s
✅ REPOSITORY syft yes no no 3.63s
✅ REPOSITORY trivy yes no no 23.85s
✅ REPOSITORY trivy-sbom yes no no 2.79s
✅ REPOSITORY trufflehog yes no no 4.48s
✅ SPELL lychee 14 0 0 0.1s
✅ YAML prettier 12 0 0 0 0.78s
✅ YAML v8r 12 0 0 14.07s
✅ YAML yamllint 12 0 0 0.77s

Detailed Issues

⚠️ REPOSITORY / grype - 13 errors 
[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME                 INSTALLED  FIXED IN  TYPE       VULNERABILITY  SEVERITY  EPSS           RISK   
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5006   Critical  < 0.1% (21st)  < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5023   Critical  < 0.1% (16th)  < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5017   Critical  < 0.1% (17th)  < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5020   Critical  < 0.1% (17th)  < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5013   High      < 0.1% (17th)  < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5005   Critical  < 0.1% (13th)  < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5021   Critical  < 0.1% (11th)  < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5019   Critical  < 0.1% (10th)  < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5018   High      < 0.1% (10th)  < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5033   Medium    < 0.1% (16th)  < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5014   Medium    < 0.1% (10th)  < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5015   Medium    < 0.1% (8th)   < 0.1  
golang.org/x/crypto  v0.51.0    0.52.0    go-module  GO-2026-5016   Medium    < 0.1% (6th)   < 0.1
[0079] ERROR discovered vulnerabilities at or above the severity threshold

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

  • Documentation: Custom Flavors
  • Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,API_SPECTRAL,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,GO_GOLANGCI_LINT,GO_REVIVE,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

@dependabot @github

dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #285.

@dependabot dependabot Bot closed this Jun 16, 2026
@dependabot dependabot Bot deleted the dependabot/go_modules/github.com/labstack/echo/v4-4.15.3 branch June 16, 2026 00:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@iggy iggy

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iggy