chore(deps): bump github.com/labstack/echo/v4 from 4.15.2 to 4.15.4

[dependabot]

Bumps github.com/labstack/echo/v4 from 4.15.2 to 4.15.4.

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.4

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.

---

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.4 - 2026-06-15

Security

Fixes GHSA-vfp3-v2gw-7wfq

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

v4.15.3 - 2026-06-14

... (truncated)

Commits

• ec79b58 Merge pull request #3020 from aldas/v4_v4-15-4_changelog
• 2714c07 Changelog for v4.15.4 - security fix
• 13f0ed1 Merge pull request #3019 from aldas/v4_backport_3016
• d16a4ec backport PR 3016 from v4
• 8f167b9 Merge pull request #3018 from aldas/v4_remove_v5_dep
• 9afa4ba remove dependency on labstack/echo v5 introduced in go.mod and go.sum
• 1e05f63 Merge pull request #3017 from aldas/v4_ci_updates
• 11a3cc4 Update dependencies and add ignore for linting
• 26bd016 Update CI action versions
• aa52f6a ci: run workflows on the v4 branch, not just master (#3013)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.04s
✅ API	spectral	2		0	0	2.01s
✅ COPYPASTE	jscpd	yes		no	no	1.44s
✅ DOCKERFILE	hadolint	1		0	0	0.05s
✅ GO	golangci-lint	yes	yes	no	no	45.14s
✅ GO	revive	yes		no	no	1.77s
✅ MARKDOWN	markdownlint	2	0	0	0	0.57s
✅ MARKDOWN	markdown-table-formatter	2	0	0	0	0.22s
✅ REPOSITORY	checkov	yes		no	no	35.52s
✅ REPOSITORY	gitleaks	yes		no	no	0.25s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
✅ REPOSITORY	grype	yes		no	no	63.25s
✅ REPOSITORY	secretlint	yes		no	no	0.62s
✅ REPOSITORY	syft	yes		no	no	2.86s
✅ REPOSITORY	trivy	yes		no	no	21.03s
✅ REPOSITORY	trivy-sbom	yes		no	no	2.41s
✅ REPOSITORY	trufflehog	yes		no	no	3.78s
✅ SPELL	lychee	14		0	0	0.13s
✅ YAML	prettier	12	0	0	0	0.6s
✅ YAML	v8r	12		0	0	10.42s
✅ YAML	yamllint	12		0	0	0.56s

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,API_SPECTRAL,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,GO_GOLANGCI_LINT,GO_REVIVE,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository