build(deps): bump github.com/labstack/echo/v5 from 5.1.1 to 5.2.0

[dependabot]

Bumps github.com/labstack/echo/v5 from 5.1.1 to 5.2.0.

Release notes

Sourced from github.com/labstack/echo/v5's releases.

v5.2.0 - Static encoded-separator route bypass fix (GHSA-vfp3-v2gw-7wfq)

Security

• fix(static): reject encoded path separators that bypass route-level middleware by @​vishr in labstack/echo#3009
• fix(middleware/static): don't double-unescape request path (#2599) by @​vishr in labstack/echo#3006

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler/StaticFS and the Static middleware are affected. Thanks to @​a-tt-om and @​oran-gugu for reporting.

Enhancements

• feat(middleware): optional RateLimiterStoreContext for response headers (#2961) by @​vishr in labstack/echo#3007
• perf: optimize core hot paths (chain, context, binding, responses) by @​vishr in labstack/echo#3008
• fix(binder): include field name in bind conversion errors (#2629) by @​vishr in labstack/echo#3005
• fix(binder): serialize BindingError to structured JSON (#2771) by @​vishr in labstack/echo#3004
• fix(binder): MustUnixTime docs say time.Time, not time.Duration by @​c-tonneslan in labstack/echo#2988
• fix(middleware): reset ContentLength after gzip decompression by @​shblue21 in labstack/echo#3000
• fix(middleware/proxy): append RealIP to X-Forwarded-For for WebSocket requests by @​kawaway in labstack/echo#2994
• Fix proxy panic when balancer has no targets by @​shblue21 in labstack/echo#2977
• fix(middleware): correct documented KeyAuth KeyLookup default by @​leestana01 in labstack/echo#2992
• test: lock in v5 group route method-handling (405 + OPTIONS) by @​vishr in labstack/echo#3003
• docs: liveness signals in README + public ROADMAP by @​vishr in labstack/echo#3002
• Fix typos in CSRFConfig comments by @​shblue21 in labstack/echo#2979
• refactor: modernize code usage using gofix by @​kumapower17 in labstack/echo#2970
• refactor: replace Split in loops with more efficient SplitSeq by @​box4wangjing in labstack/echo#2969
• refactor: use the built-in max/min to simplify the code by @​criciss in labstack/echo#2966
• Update GitHub actions deps versions by @​aldas in labstack/echo#2971

New Contributors

• @​criciss made their first contribution in labstack/echo#2966
• @​box4wangjing made their first contribution in labstack/echo#2969
• @​shblue21 made their first contribution in labstack/echo#2977
• @​c-tonneslan made their first contribution in labstack/echo#2988
• @​leestana01 made their first contribution in labstack/echo#2992
• @​kawaway made their first contribution in labstack/echo#2994

Full Changelog: labstack/echo@v5.1.1...v5.2.0

Changelog

Sourced from github.com/labstack/echo/v5's changelog.

v5.2.0 - 2026-06-14

Security

• fix(static): reject encoded path separators that bypass route-level middleware by @​vishr in labstack/echo#3009
• fix(middleware/static): don't double-unescape request path (#2599) by @​vishr in labstack/echo#3006

Fixes GHSA-vfp3-v2gw-7wfq: an encoded path separator (%2F or %5C) in a static file URL could bypass route-level middleware (e.g. authentication on a sibling route) and disclose static files. Both StaticDirectoryHandler/StaticFS and the Static middleware are affected. Thanks to @​a-tt-om and @​oran-gugu for reporting.

Enhancements

• feat(middleware): optional RateLimiterStoreContext for response headers (#2961) by @​vishr in labstack/echo#3007
• perf: optimize core hot paths (chain, context, binding, responses) by @​vishr in labstack/echo#3008
• fix(binder): include field name in bind conversion errors (#2629) by @​vishr in labstack/echo#3005
• fix(binder): serialize BindingError to structured JSON (#2771) by @​vishr in labstack/echo#3004
• fix(binder): MustUnixTime docs say time.Time, not time.Duration by @​c-tonneslan in labstack/echo#2988
• fix(middleware): reset ContentLength after gzip decompression by @​shblue21 in labstack/echo#3000
• fix(middleware/proxy): append RealIP to X-Forwarded-For for WebSocket requests by @​kawaway in labstack/echo#2994
• Fix proxy panic when balancer has no targets by @​shblue21 in labstack/echo#2977
• fix(middleware): correct documented KeyAuth KeyLookup default by @​leestana01 in labstack/echo#2992
• test: lock in v5 group route method-handling (405 + OPTIONS) by @​vishr in labstack/echo#3003
• docs: liveness signals in README + public ROADMAP by @​vishr in labstack/echo#3002
• Fix typos in CSRFConfig comments by @​shblue21 in labstack/echo#2979
• refactor: modernize code usage using gofix by @​kumapower17 in labstack/echo#2970
• refactor: replace Split in loops with more efficient SplitSeq by @​box4wangjing in labstack/echo#2969
• refactor: use the built-in max/min to simplify the code by @​criciss in labstack/echo#2966
• Update GitHub actions deps versions by @​aldas in labstack/echo#2971

New Contributors

• @​criciss made their first contribution in labstack/echo#2966
• @​box4wangjing made their first contribution in labstack/echo#2969
• @​shblue21 made their first contribution in labstack/echo#2977
• @​c-tonneslan made their first contribution in labstack/echo#2988
• @​leestana01 made their first contribution in labstack/echo#2992
• @​kawaway made their first contribution in labstack/echo#2994

Full Changelog: labstack/echo@v5.1.1...v5.2.0

Commits

• 5786024 Changelog for v5.2.0 (#3010)
• 8d1ae9d fix(static): reject encoded path separators that bypass route-level middlewar...
• c9477eb feat(middleware): optional RateLimiterStoreContext for response headers (#296...
• b1d65e4 perf: optimize core hot paths (chain, context, binding, responses) (#3008)
• a9ede66 fix(middleware/static): don't double-unescape request path (#2599) (#3006)
• ec9515a fix(binder): include field name in form/struct bind conversion errors (#2629)...
• dba8ff6 fix(binder): serialize BindingError to structured JSON (#2771) (#3004)
• 4f5ac60 test: lock in v5 group route method-handling (405 + OPTIONS) (#3003)
• b0a3916 docs: liveness signals in README + public ROADMAP (#3002)
• 9c748c9 fix(middleware): reset ContentLength after gzip decompression
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)