fix(deps): update module github.com/labstack/echo/v4 to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/labstack/echo/v4	v4.15.2 → v5.1.1

---

Release Notes

labstack/echo (github.com/labstack/echo/v4)

v5.1.1

Compare Source

Security

• Context.Scheme() should validate values taken from header by @​aldas in #​2953

Thanks to @​shblue21 for reporting this issue.

Enhancements

• Add golangci linter configuration by @​aldas in #​2930
• Make StartConfig listener creation context-aware by @​EricGusmao in #​2936
• fix(lint): resolve staticcheck issues and improve code quality by @​itsllyaz in #​2941
• Context.Scheme should validate values taken from header by @​aldas in #​2953
• chore: fix typos in httperror.go by @​tisonkun in #​2958
• Context.Json should not unwrap response by @​aldas in #​2964

v5.1.0

Compare Source

Security

This change does not break the API contract, but it does introduce breaking changes in logic/behavior.
If your application is using c.RealIP() beware and read https://echo.labstack.com/docs/ip-address

v4 behavior can be restored with:

e := echo.New()
e.IPExtractor = echo.LegacyIPExtractor()

• Remove legacy IP extraction logic from context.RealIP method by @​aldas in #​2933

Enhancements

• Add echo-opentelemetry to the README.md by @​aldas in #​2908
• fix: correct spelling mistakes in comments and field name by @​crawfordxx in #​2916
• Add https://github.com/labstack/echo-prometheus to the middleware list in README.md by @​aldas in #​2919
• Add StartConfig.Listener so server with custom Listener is easier to create by @​aldas in #​2920
• Fix rate limiter documentation for default burst value by @​karesansui-u in #​2925
• Add doc comments to clarify usage of File related methods and leading slash handling by @​aldas in #​2928
• Add NewDefaultFS function to help create filesystem that allows absolute paths by @​aldas in #​2931
• Do not set http.Server.WriteTimeout in StartConfig by @​aldas in #​2932

v5.0.4

Compare Source

Enhancements

• Remove unused import 'errors' from README example by @​kumapower17 in #​2889
• Fix Graceful shutdown: after http.Server.Serve returns we need to wait for graceful shutdown goroutine to finish by @​aldas in #​2898
• Update location of oapi-codegen in README by @​mromaszewicz in #​2896
• Add Go 1.26 to CI flow by @​aldas in #​2899
• Add new function echo.StatusCode by @​suwakei in #​2892
• CSRF: support older token-based CSRF protection handler that want to render token into template by @​aldas in #​2894
• Add echo.ResolveResponseStatus function to help middleware/handlers determine HTTP status code and echo.Response by @​aldas in #​2900

v5.0.3

Compare Source

Security

• Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by @​shblue21.

This applies to cases when:

• Windows is used as OS
• middleware.StaticConfig.Filesystem is nil (default)
• echo.Filesystem is has not been set explicitly (default)

Exposure is restricted to the active process working directory and its subfolders.

v5.0.2

Compare Source

Security

• Fix Static middleware with config.Browse=true lists all files/subfolders from config.Filesystem root and not starting from config.Root in #​2887

v5.0.1

Compare Source

• Panic MW: will now return a custom PanicStackError with stack trace by @​aldas in #​2871
• Docs: add missing err parameter to DenyHandler example by @​cgalibern in #​2878
• improve: improve websocket checks in IsWebSocket() [per RFC 6455] by @​raju-mechatronics in #​2875
• fix: Context.Json() should not send status code before serialization is complete by @​aldas in #​2877

v5.0.0

Compare Source

Echo v5 is maintenance release with major breaking changes

• Context is now struct instead of interface and we can add method to it in the future in minor versions.
• Adds new Router interface for possible new routing implementations.
• Drops old logging interface and uses moderm log/slog instead.
• Rearranges alot of methods/function signatures to make them more consistent.

Upgrade notes and v4 support:

• Echo v4 is supported with security* updates and bug fixes until 2026-12-31
• If you are using Echo in a production environment, it is recommended to wait until after 2026-03-31 before upgrading.
• Until 2026-03-31, any critical issues requiring breaking v5 API changes will be addressed, even if this violates semantic versioning.

See API_CHANGES_V5.md for public API changes between v4 and v5, notes on upgrading.

Upgrading TLDR:

If you are using Linux you can migrate easier parts like that:

find . -type f -name "*.go" -exec sed -i 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i 's/echo\/v4/echo\/v5/g' {} +

macOS

find . -type f -name "*.go" -exec sed -i '' 's/ echo.Context/ *echo.Context/g' {} +
find . -type f -name "*.go" -exec sed -i '' 's/echo\/v4/echo\/v5/g' {} +

or in your favorite IDE

Replace all:

1. echo.Context -> *echo.Context
2. echo/v4 -> echo/v5

This should solve most of the issues. Probably the hardest part is updating all the tests.

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • "before 9am on saturday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

📝 Walkthrough

Walkthrough

サンプル実装の Echo フレームワーク依存をバージョン 4 から 5 に更新する最小限の変更です。go.mod ファイル内で古いバージョンの宣言を削除し、v5.1.1 を明示的に指定して、依存チェーンの一貫性を確保しています。

Changes

Echo v5 マイグレーション

Layer / File(s)	Summary
Echo v5 依存関係更新 _examples/echo/go.mod	github.com/labstack/echo/v4 v4.15.2 を削除し、github.com/labstack/echo/v5 v5.1.1 を require ブロックに追加して、フレームワークバージョンを v5 系に統一しました。

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• bright-room/idem#228: 同じく _examples/echo/go.mod で github.com/labstack/echo を v5.1.1 に揃えるため、v5 への依存追加と v4 の整理を行っており、require 変更内容が一致しています。

Poem

🐰 モジュール路の旅人よ、
古き v4 の影を脱ぎ捨て、
新しき v5 の光を掴む時。
小さき一行、大きき一歩、
Echo のサンプルは輝きを増す ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	プルリクエストのタイトルは、変更内容を正確に反映しており、github.com/labstack/echo/v4 から v5 への更新を明確に示しています。
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/github.com-labstack-echo-v4-5.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Code Metrics Report

Coverage	Test Execution Time
81.9%	31s

---

Reported by octocov

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@_examples/echo/go.mod`:
- Line 7: Update the imports in _examples/echo/main.go to match Echo v5 by
replacing any occurrences of "github.com/labstack/echo/v4" and
"github.com/labstack/echo/v4/middleware" with "github.com/labstack/echo/v5" and
"github.com/labstack/echo/v5/middleware"; then verify usages in functions like
New()/echo.New(), e.Use(middleware.Logger()/Recover()) and any middleware API
calls still compile under v5 and adjust calls/signatures if required so the
import paths and APIs are consistent with the go.mod entry.
- Around line 7-8: The go.mod contains a duplicated require entry for
github.com/labstack/echo/v5 v5.1.1; remove the duplicate so the require block
contains a single line "github.com/labstack/echo/v5 v5.1.1" (leave the version
unchanged) — locate the require block in _examples/echo/go.mod and delete the
redundant occurrence of the symbol github.com/labstack/echo/v5 v5.1.1.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 78530c0a-23fb-4047-a062-336262da2ae9

📥 Commits

Reviewing files that changed from the base of the PR and between 4e18337 and fe2428e.

📒 Files selected for processing (1)

• _examples/echo/go.mod

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# v4 import 残存の確認（サンプル配下）
rg -nP 'github\.com/labstack/echo/v4(/middleware)?' _examples/echo/main.go _examples/echo/*.go

Repository: bright-room/idem

Length of output: 310

---

Echo v5 への切替に合わせて _examples/echo/main.go の import を更新してください

_examples/echo/go.mod は github.com/labstack/echo/v5 v5.1.1 ですが、_examples/echo/main.go では github.com/labstack/echo/v4 と github.com/labstack/echo/v4/middleware を import しており、依存コントラクトが不一致です。同PRで main.go を Echo v5 向けの import/API に揃えるか、整合するように依存を調整してください。

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@_examples/echo/go.mod` at line 7, Update the imports in
_examples/echo/main.go to match Echo v5 by replacing any occurrences of
"github.com/labstack/echo/v4" and "github.com/labstack/echo/v4/middleware" with
"github.com/labstack/echo/v5" and "github.com/labstack/echo/v5/middleware"; then
verify usages in functions like New()/echo.New(),
e.Use(middleware.Logger()/Recover()) and any middleware API calls still compile
under v5 and adjust calls/signatures if required so the import paths and APIs
are consistent with the go.mod entry.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# 重複 require の確認
rg -nP '^\s*github\.com/labstack/echo/v5\s+v5\.1\.1\s*$' _examples/echo/go.mod

Repository: bright-room/idem

Length of output: 136

---

_examples/echo/go.mod の require 重複を削除してください
github.com/labstack/echo/v5 v5.1.1 が 7〜8 行で重複定義されています。Go modules の解決を不安定化させる/不要差分になるため、1行に統一してください。

修正案（diff）

 require (
 	github.com/bright-room/idem v1.2.1
 	github.com/labstack/echo/v5 v5.1.1
-	github.com/labstack/echo/v5 v5.1.1
 )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	github.com/labstack/echo/v5 v5.1.1
	github.com/labstack/echo/v5 v5.1.1
	github.com/labstack/echo/v5 v5.1.1

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@_examples/echo/go.mod` around lines 7 - 8, The go.mod contains a duplicated
require entry for github.com/labstack/echo/v5 v5.1.1; remove the duplicate so
the require block contains a single line "github.com/labstack/echo/v5 v5.1.1"
(leave the version unchanged) — locate the require block in
_examples/echo/go.mod and delete the redundant occurrence of the symbol
github.com/labstack/echo/v5 v5.1.1.