⬆️ chore(go-deps): Update module github.com/labstack/echo/v4 to v5

[trap-renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
github.com/labstack/echo/v4	require	major	v4.15.0 → v5.0.4

---

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v5.0.4

Compare Source

Enhancements

• Remove unused import 'errors' from README example by @​kumapower17 in #​2889
• Fix Graceful shutdown: after http.Server.Serve returns we need to wait for graceful shutdown goroutine to finish by @​aldas in #​2898
• Update location of oapi-codegen in README by @​mromaszewicz in #​2896
• Add Go 1.26 to CI flow by @​aldas in #​2899
• Add new function echo.StatusCode by @​suwakei in #​2892
• CSRF: support older token-based CSRF protection handler that want to render token into template by @​aldas in #​2894
• Add echo.ResolveResponseStatus function to help middleware/handlers determine HTTP status code and echo.Response by @​aldas in #​2900

v5.0.3

Compare Source

Security

• Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @​shblue21.

This applies to cases when:

• Windows is used as OS
• middleware.StaticConfig.Filesystem is nil (default)
• echo.Filesystem is has not been set explicitly (default)

Exposure is restricted to the active process working directory and its subfolders.

v5.0.2

Compare Source

Security

• Fix Static middleware with config.Browse=true lists all files/subfolders from config.Filesystem root and not starting from config.Root in #​2887

v5.0.1

Compare Source

• Panic MW: will now return a custom PanicStackError with stack trace by @​aldas in #​2871
• Docs: add missing err parameter to DenyHandler example by @​cgalibern in #​2878
• improve: improve websocket checks in IsWebSocket() [per RFC 6455] by @​raju-mechatronics in #​2875
• fix: Context.Json() should not send status code before serialization is complete by @​aldas in #​2877

v5.0.0

Compare Source

Echo v5 is maintenance release with major breaking changes

• Context is now struct instead of interface and we can add method to it in the future in minor versions.
• Adds new Router interface for possible new routing implementations.
• Drops old logging interface and uses moderm log/slog instead.
• Rearranges alot of methods/function signatures to make them more consistent.

Upgrade notes and v4 support:

• Echo v4 is supported with security* updates and bug fixes until 2026-12-31
• If you are using Echo in a production environment, it is recommended to wait until after 2026-03-31 before upgrading.
• Until 2026-03-31, any critical issues requiring breaking v5 API changes will be addressed, even if this violates semantic versioning.

See API_CHANGES_V5.md for public API changes between v4 and v5, notes on upgrading.

Upgrading TLDR:

If you are using Linux you can migrate easier parts like that:

find . -type f -name "*.go" -exec sed -i 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i 's/echo\/v4/echo\/v5/g' {} +

macOS

find . -type f -name "*.go" -exec sed -i '' 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i '' 's/echo\/v4/echo\/v5/g' {} +

or in your favorite IDE

Replace all:

1. echo.Context -> *echo.Context
2. echo/v4 -> echo/v5

This should solve most of the issues. Probably the hardest part is updating all the tests.

v4.15.1

Compare Source

What's Changed

• CSRF: support older token-based CSRF protection handler that want to render token into template by @​aldas in #​2905

Full Changelog: labstack/echo@v4.15.0...v4.15.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[trap-renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
golang.org/x/crypto	v0.46.0 -> v0.47.0
golang.org/x/net	v0.48.0 -> v0.49.0
golang.org/x/text	v0.32.0 -> v0.33.0