diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3bdb4e3..a722df7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ## [Unreleased](https://github.com/ganto/pkgproxy/commits/HEAD/)
 
+## [v0.1.2](https://github.com/ganto/pkgproxy/releases/tag/v0.1.2) - 2026-03-28
+
+### Fixed
+
+- Disable Echo v5's default 30-second `WriteTimeout` which killed streaming responses for large package files
+
 ## [v0.1.1](https://github.com/ganto/pkgproxy/releases/tag/v0.1.1) - 2026-03-25
 
 ### Added
diff --git a/cmd/serve.go b/cmd/serve.go
index 02a25e2..f27874e 100644
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -6,6 +6,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"net/http"
 	"os"
 	"os/signal"
 	"runtime"
@@ -126,6 +127,16 @@ func startServer(_ *cobra.Command, _ []string) error {
 	sc := echo.StartConfig{
 		Address:    fmt.Sprintf("%s:%d", listenAddress, listenPort),
 		HideBanner: true,
+		BeforeServeFunc: func(s *http.Server) error {
+			// Echo v5 defaults WriteTimeout to 30s as Slowloris mitigation
+			// (GoSec G112). WriteTimeout is a hard wall-clock deadline from
+			// request header read to response completion, which cuts off
+			// streaming responses for large package files. If pkgproxy is
+			// exposed directly, use a reverse proxy (e.g. nginx) with
+			// appropriate timeouts for Slowloris protection.
+			s.WriteTimeout = 0
+			return nil
+		},
 	}
 	return sc.Start(ctx, app)
 }