Add golangci linter configuration by @aldas in #2930
Make StartConfig listener creation context-aware by @EricGusmao in #2936
fix(lint): resolve staticcheck issues and improve code quality by @itsllyaz in #2941
Context.Scheme should validate values taken from header by @aldas in #2953
chore: fix typos in httperror.go by @tisonkun in #2958
Context.Json should not unwrap response by @aldas in #2964

This change does not break the API contract, but it does introduce breaking changes in logic/behavior.
If your application is using c.RealIP() beware and read https://echo.labstack.com/docs/ip-address

v4 behavior can be restored with:

e := echo.New()
e.IPExtractor = echo.LegacyIPExtractor()

Remove legacy IP extraction logic from context.RealIP method by @aldas in #2933

Enhancements

Add echo-opentelemetry to the README.md by @aldas in #2908
fix: correct spelling mistakes in comments and field name by @crawfordxx in #2916
Add https://github.com/labstack/echo-prometheus to the middleware list in README.md by @aldas in #2919
Add StartConfig.Listener so server with custom Listener is easier to create by @aldas in #2920
Fix rate limiter documentation for default burst value by @karesansui-u in #2925
Add doc comments to clarify usage of File related methods and leading slash handling by @aldas in #2928
Add NewDefaultFS function to help create filesystem that allows absolute paths by @aldas in #2931
Do not set http.Server.WriteTimeout in StartConfig by @aldas in #2932

`v5.0.4`

Compare Source

Enhancements

Remove unused import 'errors' from README example by @kumapower17 in #2889
Fix Graceful shutdown: after http.Server.Serve returns we need to wait for graceful shutdown goroutine to finish by @aldas in #2898
Update location of oapi-codegen in README by @mromaszewicz in #2896
Add Go 1.26 to CI flow by @aldas in #2899
Add new function echo.StatusCode by @suwakei in #2892
CSRF: support older token-based CSRF protection handler that want to render token into template by @aldas in #2894
Add echo.ResolveResponseStatus function to help middleware/handlers determine HTTP status code and echo.Response by @aldas in #2900

`v5.0.3`

Compare Source

Security

Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @shblue21.

This applies to cases when:

Windows is used as OS
middleware.StaticConfig.Filesystem is nil (default)
echo.Filesystem is has not been set explicitly (default)

Exposure is restricted to the active process working directory and its subfolders.

`v5.0.2`

Compare Source

Security

Fix Static middleware with config.Browse=true lists all files/subfolders from config.Filesystem root and not starting from config.Root in #2887

`v5.0.1`

Compare Source

Panic MW: will now return a custom PanicStackError with stack trace by @aldas in #2871
Docs: add missing err parameter to DenyHandler example by @cgalibern in #2878
improve: improve websocket checks in IsWebSocket() [per RFC 6455] by @raju-mechatronics in #2875
fix: Context.Json() should not send status code before serialization is complete by @aldas in #2877

`v5.0.0`

Compare Source

Echo v5 is maintenance release with major breaking changes

Context is now struct instead of interface and we can add method to it in the future in minor versions.
Adds new Router interface for possible new routing implementations.
Drops old logging interface and uses moderm log/slog instead.
Rearranges alot of methods/function signatures to make them more consistent.

Upgrade notes and v4 support:

Echo v4 is supported with security* updates and bug fixes until 2026-12-31
If you are using Echo in a production environment, it is recommended to wait until after 2026-03-31 before upgrading.
Until 2026-03-31, any critical issues requiring breaking v5 API changes will be addressed, even if this violates semantic versioning.

See API_CHANGES_V5.md for public API changes between v4 and v5, notes on upgrading.

Upgrading TLDR:

If you are using Linux you can migrate easier parts like that:

find . -type f -name "*.go" -exec sed -i 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i 's/echo\/v4/echo\/v5/g' {} +

macOS

find . -type f -name "*.go" -exec sed -i '' 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i '' 's/echo\/v4/echo\/v5/g' {} +

or in your favorite IDE

Replace all:

echo.Context -> *echo.Context
echo/v4 -> echo/v5

This should solve most of the issues. Probably the hardest part is updating all the tests.

`v4.15.2`: - Context.Scheme() header validation

Compare Source

Security

Context.Scheme() should validate values taken from header by @aldas in #2962

Thanks to @shblue21 for reporting this issue.

Full Changelog: https://github.com/labstack/echo/compare/v4.15.1...v4.15.2

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/labstack/echo/v4](https://github.com/labstack/echo) | require | major | `v4.15.1` → `v5.1.1` | --- ### Release Notes <details> <summary>labstack/echo (github.com/labstack/echo/v4)</summary> ### [`v5.1.1`](https://github.com/labstack/echo/blob/HEAD/CHANGELOG.md#v511---2026-05-01) [Compare Source](https://github.com/labstack/echo/compare/v5.1.0...v5.1.1) **Security** - `Context.Scheme()` should validate values taken from header by [@aldas](https://github.com/aldas) in [#2953](https://github.com/labstack/echo/pull/2953) Thanks to [@shblue21](https://github.com/shblue21) for reporting this [issue](https://github.com/labstack/echo/issues/2952). **Enhancements** - Add golangci linter configuration by [@aldas](https://github.com/aldas) in [#2930](https://github.com/labstack/echo/pull/2930) - Make StartConfig listener creation context-aware by [@EricGusmao](https://github.com/EricGusmao) in [#2936](https://github.com/labstack/echo/pull/2936) - fix(lint): resolve staticcheck issues and improve code quality by [@itsllyaz](https://github.com/itsllyaz) in [#2941](https://github.com/labstack/echo/pull/2941) - Context.Scheme should validate values taken from header by [@aldas](https://github.com/aldas) in [#2953](https://github.com/labstack/echo/pull/2953) - chore: fix typos in httperror.go by [@tisonkun](https://github.com/tisonkun) in [#2958](https://github.com/labstack/echo/pull/2958) - Context.Json should not unwrap response by [@aldas](https://github.com/aldas) in [#2964](https://github.com/labstack/echo/pull/2964) ### [`v5.1.0`](https://github.com/labstack/echo/blob/HEAD/CHANGELOG.md#v510---2026-03-31) [Compare Source](https://github.com/labstack/echo/compare/v5.0.4...v5.1.0) **Security** This change does not break the API contract, but it does introduce breaking changes in logic/behavior. If your application is using `c.RealIP()` beware and read <https://echo.labstack.com/docs/ip-address> `v4` behavior can be restored with: ```go e := echo.New() e.IPExtractor = echo.LegacyIPExtractor() ``` - Remove legacy IP extraction logic from context.RealIP method by [@aldas](https://github.com/aldas) in [#2933](https://github.com/labstack/echo/pull/2933) **Enhancements** - Add echo-opentelemetry to the README.md by [@aldas](https://github.com/aldas) in [#2908](https://github.com/labstack/echo/pull/2908) - fix: correct spelling mistakes in comments and field name by [@crawfordxx](https://github.com/crawfordxx) in [#2916](https://github.com/labstack/echo/pull/2916) - Add <https://github.com/labstack/echo-prometheus> to the middleware list in README.md by [@aldas](https://github.com/aldas) in [#2919](https://github.com/labstack/echo/pull/2919) - Add StartConfig.Listener so server with custom Listener is easier to create by [@aldas](https://github.com/aldas) in [#2920](https://github.com/labstack/echo/pull/2920) - Fix rate limiter documentation for default burst value by [@karesansui-u](https://github.com/karesansui-u) in [#2925](https://github.com/labstack/echo/pull/2925) - Add doc comments to clarify usage of File related methods and leading slash handling by [@aldas](https://github.com/aldas) in [#2928](https://github.com/labstack/echo/pull/2928) - Add NewDefaultFS function to help create filesystem that allows absolute paths by [@aldas](https://github.com/aldas) in [#2931](https://github.com/labstack/echo/pull/2931) - Do not set http.Server.WriteTimeout in StartConfig by [@aldas](https://github.com/aldas) in [#2932](https://github.com/labstack/echo/pull/2932) ### [`v5.0.4`](https://github.com/labstack/echo/blob/HEAD/CHANGELOG.md#v504---2026-02-15) [Compare Source](https://github.com/labstack/echo/compare/v5.0.3...v5.0.4) **Enhancements** - Remove unused import 'errors' from README example by [@kumapower17](https://github.com/kumapower17) in [#2889](https://github.com/labstack/echo/pull/2889) - Fix Graceful shutdown: after `http.Server.Serve` returns we need to wait for graceful shutdown goroutine to finish by [@aldas](https://github.com/aldas) in [#2898](https://github.com/labstack/echo/pull/2898) - Update location of oapi-codegen in README by [@mromaszewicz](https://github.com/mromaszewicz) in [#2896](https://github.com/labstack/echo/pull/2896) - Add Go 1.26 to CI flow by [@aldas](https://github.com/aldas) in [#2899](https://github.com/labstack/echo/pull/2899) - Add new function `echo.StatusCode` by [@suwakei](https://github.com/suwakei) in [#2892](https://github.com/labstack/echo/pull/2892) - CSRF: support older token-based CSRF protection handler that want to render token into template by [@aldas](https://github.com/aldas) in [#2894](https://github.com/labstack/echo/pull/2894) - Add `echo.ResolveResponseStatus` function to help middleware/handlers determine HTTP status code and echo.Response by [@aldas](https://github.com/aldas) in [#2900](https://github.com/labstack/echo/pull/2900) ### [`v5.0.3`](https://github.com/labstack/echo/blob/HEAD/CHANGELOG.md#v503---2026-02-06) [Compare Source](https://github.com/labstack/echo/compare/v5.0.2...v5.0.3) **Security** - Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by [@shblue21](https://github.com/shblue21). This applies to cases when: - Windows is used as OS - `middleware.StaticConfig.Filesystem` is `nil` (default) - `echo.Filesystem` is has not been set explicitly (default) Exposure is restricted to the active process working directory and its subfolders. ### [`v5.0.2`](https://github.com/labstack/echo/blob/HEAD/CHANGELOG.md#v502---2026-02-02) [Compare Source](https://github.com/labstack/echo/compare/v5.0.1...v5.0.2) **Security** - Fix Static middleware with `config.Browse=true` lists all files/subfolders from `config.Filesystem` root and not starting from `config.Root` in [#2887](https://github.com/labstack/echo/pull/2887) ### [`v5.0.1`](https://github.com/labstack/echo/blob/HEAD/CHANGELOG.md#v501---2026-01-28) [Compare Source](https://github.com/labstack/echo/compare/v5.0.0...v5.0.1) - Panic MW: will now return a custom PanicStackError with stack trace by [@aldas](https://github.com/aldas) in [#2871](https://github.com/labstack/echo/pull/2871) - Docs: add missing err parameter to DenyHandler example by [@cgalibern](https://github.com/cgalibern) in [#2878](https://github.com/labstack/echo/pull/2878) - improve: improve websocket checks in IsWebSocket() \[per RFC 6455] by [@raju-mechatronics](https://github.com/raju-mechatronics) in [#2875](https://github.com/labstack/echo/pull/2875) - fix: Context.Json() should not send status code before serialization is complete by [@aldas](https://github.com/aldas) in [#2877](https://github.com/labstack/echo/pull/2877) ### [`v5.0.0`](https://github.com/labstack/echo/blob/HEAD/CHANGELOG.md#v500---2026-01-18) [Compare Source](https://github.com/labstack/echo/compare/v4.15.2...v5.0.0) Echo `v5` is maintenance release with **major breaking changes** - `Context` is now struct instead of interface and we can add method to it in the future in minor versions. - Adds new `Router` interface for possible new routing implementations. - Drops old logging interface and uses moderm `log/slog` instead. - Rearranges alot of methods/function signatures to make them more consistent. Upgrade notes and `v4` support: - Echo `v4` is supported with **security**\* updates and **bug** fixes until **2026-12-31** - If you are using Echo in a production environment, it is recommended to wait until after 2026-03-31 before upgrading. - Until 2026-03-31, any critical issues requiring breaking `v5` API changes will be addressed, even if this violates semantic versioning. See [API\_CHANGES\_V5.md](./API_CHANGES_V5.md) for public API changes between `v4` and `v5`, notes on **upgrading**. Upgrading TLDR: If you are using Linux you can migrate easier parts like that: ```bash find . -type f -name "*.go" -exec sed -i 's/ echo.Context/ *echo.Context/g' {} + find . -type f -name "*.go" -exec sed -i 's/echo\/v4/echo\/v5/g' {} + ``` macOS ```bash find . -type f -name "*.go" -exec sed -i '' 's/ echo.Context/ *echo.Context/g' {} + find . -type f -name "*.go" -exec sed -i '' 's/echo\/v4/echo\/v5/g' {} + ``` or in your favorite IDE Replace all: 1. ` echo.Context` -> ` *echo.Context` 2. `echo/v4` -> `echo/v5` This should solve most of the issues. Probably the hardest part is updating all the tests. ### [`v4.15.2`](https://github.com/labstack/echo/releases/tag/v4.15.2): - Context.Scheme() header validation [Compare Source](https://github.com/labstack/echo/compare/v4.15.1...v4.15.2) **Security** - `Context.Scheme()` should validate values taken from header by [@aldas](https://github.com/aldas) in [#2962](https://github.com/labstack/echo/pull/2962) Thanks to [@shblue21](https://github.com/shblue21) for reporting this [issue](https://github.com/labstack/echo/issues/2952). **Full Changelog**: <https://github.com/labstack/echo/compare/v4.15.1...v4.15.2> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate-bot added 1 commit

2026-03-29 23:44:40 -04:00

chore(deps): update module github.com/labstack/echo/v4 to v5 426ac4a77a

renovate-bot force-pushed renovate/github.com-labstack-echo-v4-5.x from 426ac4a77a to c87a36b22d

2026-03-31 18:07:59 -04:00

Compare

renovate-bot force-pushed renovate/github.com-labstack-echo-v4-5.x from c87a36b22d to e56681ef04

2026-05-01 14:42:41 -04:00

Compare

renovate-bot commented

2026-05-01 14:42:42 -04:00

Author

Collaborator

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

7 additional dependencies were updated

Details:

Package	Change
`github.com/labstack/gommon`	`v0.4.2` -> `v0.5.0`
`github.com/mattn/go-isatty`	`v0.0.20` -> `v0.0.22`
`golang.org/x/crypto`	`v0.47.0` -> `v0.50.0`
`golang.org/x/net`	`v0.49.0` -> `v0.53.0`
`golang.org/x/sys`	`v0.40.0` -> `v0.43.0`
`golang.org/x/text`	`v0.33.0` -> `v0.36.0`
`golang.org/x/time`	`v0.14.0` -> `v0.15.0`

### ℹ️ Artifact update notice ##### File name: go.mod In order to perform the update(s) described in the table above, Renovate ran the `go get` command, which resulted in the following additional change(s): - 7 additional dependencies were updated Details: | **Package** | **Change** | | :--------------------------- | :--------------------- | | `github.com/labstack/gommon` | `v0.4.2` -> `v0.5.0` | | `github.com/mattn/go-isatty` | `v0.0.20` -> `v0.0.22` | | `golang.org/x/crypto` | `v0.47.0` -> `v0.50.0` | | `golang.org/x/net` | `v0.49.0` -> `v0.53.0` | | `golang.org/x/sys` | `v0.40.0` -> `v0.43.0` | | `golang.org/x/text` | `v0.33.0` -> `v0.36.0` | | `golang.org/x/time` | `v0.14.0` -> `v0.15.0` |

renovate-bot force-pushed renovate/github.com-labstack-echo-v4-5.x from e56681ef04 to 3994d33850

2026-05-01 15:46:45 -04:00

Compare

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/github.com-labstack-echo-v4-5.x:renovate/github.com-labstack-echo-v4-5.x

git switch renovate/github.com-labstack-echo-v4-5.x

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master

git merge --no-ff renovate/github.com-labstack-echo-v4-5.x

git switch renovate/github.com-labstack-echo-v4-5.x

git rebase master

git switch master

git merge --ff-only renovate/github.com-labstack-echo-v4-5.x

git switch renovate/github.com-labstack-echo-v4-5.x

git rebase master

git switch master

git merge --no-ff renovate/github.com-labstack-echo-v4-5.x

git switch master

git merge --squash renovate/github.com-labstack-echo-v4-5.x