fix(deps): update module github.com/labstack/echo/v5 to v5.1.1

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v5	v5.1.0 → v5.1.1

---

Release Notes

labstack/echo (github.com/labstack/echo/v5)

v5.1.1

Compare Source

Security

• Context.Scheme() should validate values taken from header by @​aldas in #​2953

Thanks to @​shblue21 for reporting this issue.

Enhancements

• Add golangci linter configuration by @​aldas in #​2930
• Make StartConfig listener creation context-aware by @​EricGusmao in #​2936
• fix(lint): resolve staticcheck issues and improve code quality by @​itsllyaz in #​2941
• Context.Scheme should validate values taken from header by @​aldas in #​2953
• chore: fix typos in httperror.go by @​tisonkun in #​2958
• Context.Json should not unwrap response by @​aldas in #​2964

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​labstack/​echo/​v5@​v5.1.0 ⏵ v5.1.1	+1

View full report

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

Version Change: v5.1.0 → v5.1.1 (patch release)

Security Fixes:

• Critical: Fixed open redirect vulnerability in Context.Scheme() (PR #2953, Issue #2952)
  • Previously accepted malformed forwarded scheme headers without validation
  • Attackers could inject network-path references (e.g., //external.example) via X-Forwarded-Proto headers
  • When combined with redirect middleware, this enabled open redirects to attacker-controlled domains
  • Now validates scheme values to only accept legitimate protocol values (http/https)

Enhancements:

• Added golangci linter configuration (PR #2930)
• Made StartConfig listener creation context-aware (PR #2936)
• Resolved staticcheck issues for improved code quality (PR #2941)
• Fixed typos in httperror.go (PR #2958)
• Fixed Context.Json() to not unwrap response objects (PR #2964)
  • Allows middleware to use custom response wrappers while preserving status codes
  • Previously would always send HTTP 200 regardless of middleware-configured status

Breaking Changes:

• None - this is a backward-compatible patch release

🎯 Impact Scope Investigation

Direct Usage Analysis:

• Echo v5 is used extensively throughout the codebase:
  • cmd/serve.go:16 - Main server setup with Echo router
  • internal/handler/handler.go:16 - HTTP request handling
  • internal/handler/error.go:7 - Custom error handler
  • internal/middleware/concurrency.go:9 - Concurrency limiter middleware
  • internal/middleware/metrics.go:7 - Metrics endpoint handler

API Surface Area Review:

1. Context.Scheme() - NOT USED

   • Grep search confirms no usage of .Scheme() method in codebase
   • Security fix does not affect this project

2. Context.JSON() - EXTENSIVELY USED

   • Used in 7 files for JSON responses
   • Primary locations:
     • cmd/serve.go:116 - Health check endpoint
     • internal/handler/handler.go:147,155,161,173,182,192,198 - All run handler responses
     • internal/handler/error.go:104 - Custom error handler
     • internal/middleware/concurrency.go:53,71,76 - Concurrency limiter errors
   • Impact Assessment: The Context.Json() fix (PR #2964) improves behavior by properly preserving middleware-set status codes
   • All current usage explicitly passes status codes to c.JSON(statusCode, payload), so behavior remains consistent
   • No custom response wrappers detected in middleware chain

3. Context.Response() - LIMITED USAGE

   • internal/handler/error.go:65 - Uses echo.UnwrapResponse(c.Response()) for checking committed responses
   • internal/middleware/metrics.go:27 - Sets Content-Type header via c.Response().Header().Set()
   • Both usages are safe and unaffected by the changes

Dependency Impact:

• No transitive dependency changes - Echo v5.1.1 maintains the same dependency tree
• golang.org/x/time v0.14.0 remains unchanged as indirect dependency

Test Results:

• All unit tests pass with v5.1.1:

  ok  	github.com/codize-dev/sandbox/cmd/gocacheprog	0.004s
  ok  	github.com/codize-dev/sandbox/internal/handler	0.006s
  ok  	github.com/codize-dev/sandbox/internal/middleware	0.457s
  ok  	github.com/codize-dev/sandbox/internal/sandbox	0.006s
  

💡 Recommended Actions

Immediate Action:

1. Merge this PR immediately - Contains critical security fix for open redirect vulnerability
2. No code modifications required - all changes are backward compatible
3. Deploy updated version to production as soon as possible

Verification Steps:

1. ✅ Unit tests already passing with new version
2. Run E2E tests via docker compose down && docker compose up --build -d && go test -tags e2e ./e2e/... to verify full integration
3. Monitor application logs after deployment for any unexpected Echo framework errors

Optional Follow-up:

• While this project doesn't use Context.Scheme(), the security fix demonstrates the importance of validating forwarded headers
• Consider reviewing any custom header processing logic for similar validation gaps

🔗 Reference Links

• Echo v5.1.1 Release Notes
• Security Fix PR #2953: Context.Scheme() validation
• Security Issue #2952: Open redirect vulnerability
• Enhancement PR #2964: Context.Json response handling
• Echo v5.1.0 to v5.1.1 Comparison

Generated by koki-develop/claude-renovate-review