chore(deps): bump github.com/labstack/echo/v4 from 4.13.4 to 4.15.0

[dependabot]

Bumps github.com/labstack/echo/v4 from 4.13.4 to 4.15.0.

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.0

Security

WARNING: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

• same-origin or none: Requests are allowed (exact origin match or direct user navigation)
• same-site: Falls back to token validation (e.g., subdomain to main domain)
• cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

• TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
• AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

• Added generic functions for type-safe parameter extraction and context access by @​aldas in labstack/echo#2856

  Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion, eliminating manual string parsing and type assertions.

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.0 - 2026-01-01

Security

NB: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

• same-origin or none: Requests are allowed (exact origin match or direct user navigation)
• same-site: Falls back to token validation (e.g., subdomain to main domain)
• cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

• TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
• AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

• Added generic functions for type-safe parameter extraction and context access by @​aldas in labstack/echo#2856

  Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion,

... (truncated)

Commits

• 482bb46 v4.15.0 changelog
• d0f9d1e CRSF with Sec-Fetch-Site=same-site falls back to legacy token
• f3fc618 CRSF with Sec-Fetch-Site checks
• 4dcb9b4 licence headers
• cbc0ac1 Add PathParam(Or)/QueryParam(Or)/FormParam(Or) generic functions
• 6b14f4e Add Context.Get generic functions
• 321530d disable test - returns different error under Windows
• c8abd9f disable flaky test
• 9fe43f7 fix Rate limiter disallows fractional rates
• 1b5122a document things to reduce false positives
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4		0	0	0.29s
✅ API	spectral	2		0	0	3.9s
✅ COPYPASTE	jscpd	yes		no	no	1.78s
✅ DOCKERFILE	hadolint	1		0	0	0.07s
❌ GO	golangci-lint	yes	yes	1	no	39.71s
✅ GO	revive	yes		no	no	0.02s
✅ MARKDOWN	markdownlint	2	0	0	0	0.61s
✅ MARKDOWN	markdown-table-formatter	2	0	0	0	0.25s
✅ REPOSITORY	checkov	yes		no	no	30.24s
✅ REPOSITORY	gitleaks	yes		no	no	0.31s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	28.34s
✅ REPOSITORY	secretlint	yes		no	no	0.39s
✅ REPOSITORY	syft	yes		no	no	1.75s
✅ REPOSITORY	trivy	yes		no	no	6.47s
✅ REPOSITORY	trivy-sbom	yes		no	no	1.43s
✅ REPOSITORY	trufflehog	yes		no	no	2.19s
✅ SPELL	lychee	12		0	0	0.35s
✅ YAML	prettier	10	0	0	0	0.77s
✅ YAML	v8r	10		0	0	6.91s
✅ YAML	yamllint	10		0	0	0.63s

Detailed Issues

❌ GO / golangci-lint - 1 error

level=info msg="golangci-lint has version 2.7.2 built with go1.25.4 from 9f61b0f5 on 2025-12-07T16:57:12Z"
level=info msg="[config_reader] Used config file ../../action/lib/.automation/.golangci.yml"
level=info msg="[config_reader] Module name \"github.com/atlascloud/packages\""
level=info msg="maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"
level=info msg="[goenv] Read go env for 6.226929ms: map[string]string{\"GOCACHE\":\"/github/home/.cache/go-build\", \"GOROOT\":\"/usr/lib/go\"}"
level=info msg="[lintersdb] Active 6 linters: [gocritic gofmt govet ineffassign staticcheck unused]"
level=info msg="[loader] Go packages loading at mode 8767 (compiled_files|deps|exports_file|imports|types_sizes|files|name) took 30.810686706s"
level=info msg="[runner/filename_unadjuster] Pre-built 0 adjustments in 4.33279ms"
level=info msg="[linters_context/goanalysis] analyzers took 22.941105069s with top 10 stages: buildir: 18.582008162s, inspect: 793.384155ms, fact_purity: 418.89078ms, printf: 375.72303ms, ctrlflow: 354.464773ms, nilness: 282.53172ms, gocritic: 278.125118ms, fact_deprecated: 255.577116ms, SA5012: 231.686371ms, unused: 222.383107ms"
level=info msg="[runner] Applying suggested fixes"
level=info msg="[runner] fixer took 2.074µs with stages: all: 2.074µs"
level=info msg="[runner/exclusion_paths] Skipped 0 issues by pattern \"third_party$\""
level=info msg="[runner/exclusion_paths] Skipped 0 issues by pattern \"builtin$\""
level=info msg="[runner/exclusion_paths] Skipped 0 issues by pattern \"examples$\""
level=info msg="[runner/exclusion_rules] Skipped 0 issues by rules: [Path: \"builtin$\", Linters: \"gofmt\"]"
level=info msg="[runner/exclusion_rules] Skipped 0 issues by rules: [Path: \"examples$\", Linters: \"gofmt\"]"
level=info msg="[runner/exclusion_rules] Skipped 0 issues by rules: [Path: \"third_party$\", Linters: \"gofmt\"]"
level=info msg="[runner] Issues before processing: 2, after processing: 1"
level=info msg="[runner] Processors filtering stat (in/out): max_from_linter: 1/1, source_code: 1/1, sort_results: 1/1, generated_file_filter: 2/1, fixer: 1/1, uniq_by_line: 1/1, path_absoluter: 2/2, exclusion_paths: 2/2, path_shortener: 1/1, severity-rules: 1/1, cgo: 2/2, filename_unadjuster: 2/2, invalid_issue: 2/2, path_relativity: 2/2, nolint_filter: 1/1, path_prettifier: 1/1, exclusion_rules: 1/1, diff: 1/1, max_per_file_from_linter: 1/1, max_same_issues: 1/1"
level=info msg="[runner] processing took 594.023µs with stages: nolint_filter: 293.95µs, generated_file_filter: 106.86µs, fixer: 66.154µs, exclusion_rules: 43.421µs, source_code: 32.402µs, exclusion_paths: 31.839µs, path_relativity: 4.739µs, sort_results: 2.454µs, uniq_by_line: 2.425µs, max_from_linter: 2.204µs, max_same_issues: 1.773µs, path_absoluter: 1.173µs, invalid_issue: 1.052µs, cgo: 922ns, path_shortener: 841ns, filename_unadjuster: 632ns, diff: 371ns, max_per_file_from_linter: 349ns, path_prettifier: 241ns, severity-rules: 221ns"
level=info msg="[runner] linters took 8.538252817s with stages: goanalysis_metalinter: 8.537558305s"
../../..cmd/api/main.go:49:8: SA1019: middleware.Logger is deprecated: please use middleware.RequestLogger or middleware.RequestLoggerWithConfig instead. (staticcheck)
	e.Use(middleware.Logger())
	      ^
1 issues:
* staticcheck: 1
level=info msg="File cache stats: 1 entries of total size 2.8KiB"
level=info msg="Memory: 394 samples, avg is 113.2MB, max is 515.6MB"
level=info msg="Execution took 39.36009543s"

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.3.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,API_SPECTRAL,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,GO_GOLANGCI_LINT,GO_REVIVE,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R