Skip to content

build(go): bump the go group with 4 updates#53

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-ae568d2f66
Open

build(go): bump the go group with 4 updates#53
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/go-ae568d2f66

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps the go group with 4 updates: github.com/labstack/echo/v4, github.com/urfave/cli/v3, golang.org/x/sync and tailscale.com.

Updates github.com/labstack/echo/v4 from 4.15.2 to 4.15.4

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.4

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.


Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txthello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.4 - 2026-06-15

Security

Fixes GHSA-vfp3-v2gw-7wfq

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txthello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

v4.15.3 - 2026-06-14

... (truncated)

Commits
  • ec79b58 Merge pull request #3020 from aldas/v4_v4-15-4_changelog
  • 2714c07 Changelog for v4.15.4 - security fix
  • 13f0ed1 Merge pull request #3019 from aldas/v4_backport_3016
  • d16a4ec backport PR 3016 from v4
  • 8f167b9 Merge pull request #3018 from aldas/v4_remove_v5_dep
  • 9afa4ba remove dependency on labstack/echo v5 introduced in go.mod and go.sum
  • 1e05f63 Merge pull request #3017 from aldas/v4_ci_updates
  • 11a3cc4 Update dependencies and add ignore for linting
  • 26bd016 Update CI action versions
  • aa52f6a ci: run workflows on the v4 branch, not just master (#3013)
  • Additional commits viewable in compare view

Updates github.com/urfave/cli/v3 from 3.9.0 to 3.10.1

Release notes

Sourced from github.com/urfave/cli/v3's releases.

v3.10.1

What's Changed

New Contributors

Full Changelog: urfave/cli@v3.10.0...v3.10.1

v3.10.0

What's Changed

Full Changelog: urfave/cli@v3.9.1...v3.10.0

v3.9.1

What's Changed

Full Changelog: urfave/cli@v3.9.0...v3.9.1

Commits
  • c5f123b Merge pull request #2322 from lihan3238/fix-2249
  • 8449859 Merge branch 'main' into fix-2249
  • 02bdfb0 Merge pull request #2374 from urfave/fix/completion-subcommand-order
  • 49e84c0 Merge pull request #2330 from c-tonneslan/fix/version-alias-conflict-with-use...
  • 54d38c9 v3: yield the version flag's -v alias to a user-defined flag
  • 0242574 Merge pull request #2369 from urfave/fix/gfmrun-count-and-examples
  • 80f2625 test: explain why completionShells is mutated in completion error tests
  • 0045bbd fix: keep completion subcommand order deterministic in help output
  • f980ca8 Merge pull request #2371 from urfave/dependabot/github_actions/actions/checko...
  • b5e4348 chore(deps): bump actions/checkout from 6 to 7
  • Additional commits viewable in compare view

Updates golang.org/x/sync from 0.20.0 to 0.21.0

Commits

Updates tailscale.com from 1.98.5 to 1.100.0

Release notes

Sourced from tailscale.com's releases.

v1.98.8

Please refer to the changelog available at https://tailscale.com/changelog

Commits
  • c811bb1 VERSION.txt: this is v1.100.0
  • 98f1ac0 cmd/k8s-operator, net/netutil: revert 4via6 changes (#19990)
  • cdcb1cb go.toolchain.rev: bump to Go 1.26.4
  • b26dadf net/dns/resolver: skip DNS health warning when doing split DNS (#19959)
  • fa54242 ipn,ipn/localapi: require local admin to serve Unix domain sockets
  • 40c98cd tstest/natlab/vmtest: deflake, de-strictify TestSelfSignedDERPHashPinning
  • 01c59d8 cmd/tailscale/cli: show services in serve status (#19600)
  • 9107354 tstest/natlab/vnet: send unsolicited IPv6 Router Advertisements
  • c91b718 ipn/localapi,tstest/natlab: fix debug derp TLS check for sha256-raw CertName
  • 52400dc ipn/ipnlocal: add back a watchdog after earlier removal from engine
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the go group with 4 updates: [github.com/labstack/echo/v4](https://github.com/labstack/echo), [github.com/urfave/cli/v3](https://github.com/urfave/cli), [golang.org/x/sync](https://github.com/golang/sync) and [tailscale.com](https://github.com/tailscale/tailscale).


Updates `github.com/labstack/echo/v4` from 4.15.2 to 4.15.4
- [Release notes](https://github.com/labstack/echo/releases)
- [Changelog](https://github.com/labstack/echo/blob/v4.15.4/CHANGELOG.md)
- [Commits](labstack/echo@v4.15.2...v4.15.4)

Updates `github.com/urfave/cli/v3` from 3.9.0 to 3.10.1
- [Release notes](https://github.com/urfave/cli/releases)
- [Changelog](https://github.com/urfave/cli/blob/main/docs/CHANGELOG.md)
- [Commits](urfave/cli@v3.9.0...v3.10.1)

Updates `golang.org/x/sync` from 0.20.0 to 0.21.0
- [Commits](golang/sync@v0.20.0...v0.21.0)

Updates `tailscale.com` from 1.98.5 to 1.100.0
- [Release notes](https://github.com/tailscale/tailscale/releases)
- [Commits](tailscale/tailscale@v1.98.5...v1.100.0)

---
updated-dependencies:
- dependency-name: github.com/labstack/echo/v4
  dependency-version: 4.15.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: go
- dependency-name: github.com/urfave/cli/v3
  dependency-version: 3.10.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: golang.org/x/sync
  dependency-version: 0.21.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
- dependency-name: tailscale.com
  dependency-version: 1.100.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: go
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants