chore: Bump github.com/labstack/echo/v4 from 4.15.3 to 4.15.4

[dependabot]

Bumps github.com/labstack/echo/v4 from 4.15.3 to 4.15.4.

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.4

Security

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler (used by Static/StaticFS) and the Static middleware are affected. Backport of the v5 fix (#3016, released in v5.2.1). Thanks to @​a-tt-om and @​oran-gugu for reporting.

---

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.4 - 2026-06-15

Security

Fixes GHSA-vfp3-v2gw-7wfq

Make serving static file releated methods and middleware not unescape path by default - so how the way Router interprets paths and Static methods/middleware is consistent.

Given following situation:

// 0.
// given folder structure:
// private.txt
// public/
// public/index.html
// public/text.txt
// public/admin/private.txt
// 1. share public/ folder contents from the server root. This folder actually contains subfolder admin which
// contents we want to forbid from downloading
e.Static("/", "public")
// 2. naively assume that everything under /admin folder is now forbidden
e.GET("/admin/*", func(c *Context) error {
return ErrForbidden
})

Then requests to /admin%2fprivate.txt would not be matched to GET /admin/* route (routing does not look unescaped path) and static file serving will use unescaped path to serve the file.

Note: this way of "guarding" subfolders will never work for for paths like /assets/../admin%2fprivate.txt which will path.Clean("/assets/../admin%2fprivate.txt") to /admin/private.txt and are servable if static file serving is configured to unescape paths.

If you want to guard routes - use middlewares on Static* methods and before Static middleware.

Breaking change / migration: If you serve files whose names contain URL-encoded characters (e.g., /hello%20world.txt → hello world.txt), you must now opt in:

	e := echo.New()
	e.EnablePathUnescapingStaticFiles = true  // <-- enable old behavior
	e.Static("/", "public")

for static middleware

	e.Use(middleware.StaticWithConfig(middleware.StaticConfig{
		EnablePathUnescaping: true, // <-- enable old behavior
	}))

Commits

• ec79b58 Merge pull request #3020 from aldas/v4_v4-15-4_changelog
• 2714c07 Changelog for v4.15.4 - security fix
• 13f0ed1 Merge pull request #3019 from aldas/v4_backport_3016
• d16a4ec backport PR 3016 from v4
• 8f167b9 Merge pull request #3018 from aldas/v4_remove_v5_dep
• 9afa4ba remove dependency on labstack/echo v5 introduced in go.mod and go.sum
• 1e05f63 Merge pull request #3017 from aldas/v4_ci_updates
• 11a3cc4 Update dependencies and add ignore for linting
• 26bd016 Update CI action versions
• aa52f6a ci: run workflows on the v4 branch, not just master (#3013)
• See full diff in compare view

[netlify]

✅ Deploy Preview for go-feature-flag-doc-preview canceled.

Name	Link
🔨 Latest commit	7be3abf
🔍 Latest deploy log	https://app.netlify.com/projects/go-feature-flag-doc-preview/deploys/6a39deec91abf90008f73fbb

[greptile-apps]

Greptile Summary

This is an automated dependency bump upgrading github.com/labstack/echo/v4 from v4.15.3 to v4.15.4, which patches security advisory GHSA-vfp3-v2gw-7wfq. A transitive dependency (github.com/mattn/go-colorable) is also bumped from v0.1.14 to v0.1.15.

• Security fix: The echo upgrade prevents encoded path separators (%2F, %5C) in static file URLs from bypassing route-level middleware and disclosing files outside the intended scope.
• Breaking change scope: The new version no longer unescapes paths in static serving by default; the demo usage (e.Static("/js", "js") and e.Static("/css", "css")) serves standard JS/CSS assets unlikely to have URL-encoded filenames, so no functional regression is expected.

Confidence Score: 5/5

Safe to merge — applies a targeted security patch with no logic changes to application code.

Only go.mod and go.sum are touched. The echo bump addresses a known path-separator bypass in static file serving, and the single usage of e.Static in the repo (the demo app) serves plain JS/CSS assets with no URL-encoded filenames, so the breaking-change opt-in is not required.

No files require special attention.

Important Files Changed

Filename	Overview
go.mod	Bumps echo/v4 to v4.15.4 (security patch) and mattn/go-colorable to v0.1.15 (transitive); straightforward version-line changes only.
go.sum	Hash entries updated to match the new echo/v4 v4.15.4 and go-colorable v0.1.15 module versions; no anomalies.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Client
    participant Router as Echo Router
    participant Middleware as Route Middleware
    participant Static as Static File Handler

    Note over Client,Static: Before v4.15.4 (vulnerable)
    Client->>Router: GET /admin%2Fprivate.txt
    Router-->>Static: "No route match (raw path used), bypasses /admin/* route"
    Static->>Static: Unescape path → /admin/private.txt
    Static-->>Client: 200 OK (file disclosed)

    Note over Client,Static: After v4.15.4 (patched)
    Client->>Router: GET /admin%2Fprivate.txt
    Router-->>Static: No route match
    Static->>Static: Use raw path (no unescape)
    Static-->>Client: 404 Not Found (path not matched)

Loading

%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Client
    participant Router as Echo Router
    participant Middleware as Route Middleware
    participant Static as Static File Handler

    Note over Client,Static: Before v4.15.4 (vulnerable)
    Client->>Router: GET /admin%2Fprivate.txt
    Router-->>Static: "No route match (raw path used), bypasses /admin/* route"
    Static->>Static: Unescape path → /admin/private.txt
    Static-->>Client: 200 OK (file disclosed)

    Note over Client,Static: After v4.15.4 (patched)
    Client->>Router: GET /admin%2Fprivate.txt
    Router-->>Static: No route match
    Static->>Static: Use raw path (no unescape)
    Static-->>Client: 404 Not Found (path not matched)

Loading

_{Reviews (3): Last reviewed commit: "Merge branch 'main' into dependabot/go_m..." | Re-trigger Greptile}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.71%. Comparing base (0b7fcb6) to head (7be3abf).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #5487   +/-   ##
=======================================
  Coverage   86.71%   86.71%           
=======================================
  Files         160      160           
  Lines        7037     7037           
=======================================
  Hits         6102     6102           
  Misses        694      694           
  Partials      241      241           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud