Skip to content

deps(deps): bump github.com/labstack/echo/v4 from 4.13.4 to 4.15.2 in the web-framework group across 1 directory#38

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/web-framework-909af02c9f
Open

deps(deps): bump github.com/labstack/echo/v4 from 4.13.4 to 4.15.2 in the web-framework group across 1 directory#38
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/go_modules/web-framework-909af02c9f

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Dec 15, 2025
edited
Loading

Bumps the web-framework group with 1 update in the / directory: github.com/labstack/echo/v4.

Updates github.com/labstack/echo/v4 from 4.13.4 to 4.15.2

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.1

What's Changed

Full Changelog: labstack/echo@v4.15.0...v4.15.1

v4.15.0

Security

WARNING: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

  • same-origin or none: Requests are allowed (exact origin match or direct user navigation)
  • same-site: Falls back to token validation (e.g., subdomain to main domain)
  • cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

  • TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
  • AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.2 - 2026-05-01

Security

Thanks to @​shblue21 for reporting this issue.

v4.15.1 - 2026-02-22

Enhancements

v4.15.0 - 2026-01-01

Security

NB: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

  • same-origin or none: Requests are allowed (exact origin match or direct user navigation)
  • same-site: Falls back to token validation (e.g., subdomain to main domain)
  • cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

  • TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
  • AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests

</tr></table>

... (truncated)

Commits
  • 25685e6 Merge pull request #2963 from aldas/v4_changelog_4_15_2
  • f9d7689 Changelog for v4.15.2
  • 37fff28 Merge pull request #2962 from aldas/v4_valid_proto
  • ca4f38a Context.Scheme should validate values taken from header
  • 2e527a7 Update CI, update deps
  • 6f3a84a Merge pull request #2905 from aldas/v4_crsf_token_fallback
  • 24fa4d0 CSRF: support older token-based CSRF protection handler that want to render t...
  • 482bb46 v4.15.0 changelog
  • d0f9d1e CRSF with Sec-Fetch-Site=same-site falls back to legacy token
  • f3fc618 CRSF with Sec-Fetch-Site checks
  • Additional commits viewable in compare view

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Dec 15, 2025

Labels

The following labels could not be found: dependencies, go. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from a team as a code owner December 15, 2025 06:17
@SergK
Copy link
Copy Markdown
Member

SergK commented Dec 15, 2025

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/go_modules/web-framework-909af02c9f branch 2 times, most recently from e9f7312 to 3123bab Compare December 22, 2025 06:16
@dependabot dependabot Bot force-pushed the dependabot/go_modules/web-framework-909af02c9f branch 2 times, most recently from 8d747f0 to 5a9cb00 Compare March 16, 2026 06:08
@dependabot dependabot Bot changed the title deps(deps): bump github.com/labstack/echo/v4 from 4.13.4 to 4.14.0 in the web-framework group deps(deps): bump github.com/labstack/echo/v4 from 4.13.4 to 4.15.2 in the web-framework group across 1 directory May 18, 2026
@dependabot dependabot Bot force-pushed the dependabot/go_modules/web-framework-909af02c9f branch from 5a9cb00 to 3d90fcd Compare May 18, 2026 08:36
@SergK
Copy link
Copy Markdown
Member

SergK commented May 18, 2026

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/go_modules/web-framework-909af02c9f branch from 3d90fcd to 7e2a1d3 Compare May 18, 2026 09:29
@dependabot
deps(deps): bump github.com/labstack/echo/v4
c14c012 
Bumps the web-framework group with 1 update in the / directory: [github.com/labstack/echo/v4](https://github.com/labstack/echo).


Updates `github.com/labstack/echo/v4` from 4.13.4 to 4.15.2
- [Release notes](https://github.com/labstack/echo/releases)
- [Changelog](https://github.com/labstack/echo/blob/v4.15.2/CHANGELOG.md)
- [Commits](labstack/echo@v4.13.4...v4.15.2)

---
updated-dependencies:
- dependency-name: github.com/labstack/echo/v4
  dependency-version: 4.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: web-framework
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/web-framework-909af02c9f branch from 7e2a1d3 to c14c012 Compare June 1, 2026 19:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SergK