Skip to content

⬆️ Bump the gomod-deps group across 1 directory with 5 updates#633

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/gomod-deps-52d998f28a
Closed

⬆️ Bump the gomod-deps group across 1 directory with 5 updates#633
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/gomod-deps-52d998f28a

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 1, 2026
edited
Loading

Bumps the gomod-deps group with 4 updates in the / directory: github.com/arran4/golang-ical, github.com/labstack/echo-contrib, golang.org/x/oauth2 and google.golang.org/api.

Updates github.com/arran4/golang-ical from 0.3.2 to 0.3.3

Release notes

Sourced from github.com/arran4/golang-ical's releases.

v0.3.3

What's Changed

New Contributors

Full Changelog: arran4/golang-ical@v0.3.2...v0.3.3

Commits
  • 3cef482 Merge pull request #124 from edds/allow-properties-after-components
  • e117db9 Fix tests for WithUnknownPropertyHandler migration
  • b55b780 Update tests to use new unknown property handler
  • 8d5c561 Use of fallback call back functions via a type switched varidict arg effectiv...
  • e44e014 Merge pull request #125 from arran4/refactor-setgeo-generics-6807043029383642851
  • c14752e Merge branch 'master' into refactor-setgeo-generics-6807043029383642851
  • 32ee934 Merge pull request #128 from arran4/fix-ci-macos-runner-2346303038533016701
  • a9d94af Merge branch 'master' into fix-ci-macos-runner-2346303038533016701
  • 8179c01 Refactor SetGeo to use generics
  • 7a2a790 Merge pull request #127 from arran4/parse-component-switch-types-470948247571...
  • Additional commits viewable in compare view

Updates github.com/labstack/echo-contrib from 0.17.4 to 0.50.1

Release notes

Sourced from github.com/labstack/echo-contrib's releases.

Echo 5 support is located in echo-contrib/v5 series

Echo 5 support was introduced in this repository with the v0.50.0 release. However, this also means that users who are still on Echo 4 and run go get -u ./... will inadvertently pull in Echo 5, which they neither want nor need at this time.

v0.50.0 will be retracted in v0.18.0 series and v0+ will only support Echo 4. For Echo 5 support use v5 major version of this repository.

Full Changelog: labstack/echo-contrib@v0.17.4...v0.50.1

Relates to labstack/echo-contrib#142

V5 is out

See: https://github.com/labstack/echo/releases/tag/v5.0.0

Retract v0.50.0

Echo 5 support was introduced in this repository with the v0.50.0 release. However, this also means that users who are still on Echo 4 and run go get -u ./... will inadvertently pull in Echo 5, which they neither want nor need at this time.

v0.50.0 will be retracted in v0.18.0 series and v0+ will only support Echo 4. For Echo 5 support use v5 major version of this repository.

Full Changelog: labstack/echo-contrib@v0.17.4...v0.18.0

Relates to labstack/echo-contrib#142

Commits

Updates github.com/labstack/echo/v4 from 4.14.0 to 4.15.0

Release notes

Sourced from github.com/labstack/echo/v4's releases.

v4.15.0

Security

WARNING: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

  • same-origin or none: Requests are allowed (exact origin match or direct user navigation)
  • same-site: Falls back to token validation (e.g., subdomain to main domain)
  • cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

  • TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
  • AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

  • Added generic functions for type-safe parameter extraction and context access by @​aldas in labstack/echo#2856

    Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion, eliminating manual string parsing and type assertions.

... (truncated)

Changelog

Sourced from github.com/labstack/echo/v4's changelog.

v4.15.0 - 2026-01-01

Security

NB: If your application relies on cross-origin or same-site (same subdomain) requests do not blindly push this version to production

The CSRF middleware now supports the Sec-Fetch-Site header as a modern, defense-in-depth approach to CSRF protection, implementing the OWASP-recommended Fetch Metadata API alongside the traditional token-based mechanism.

How it works:

Modern browsers automatically send the Sec-Fetch-Site header with all requests, indicating the relationship between the request origin and the target. The middleware uses this to make security decisions:

  • same-origin or none: Requests are allowed (exact origin match or direct user navigation)
  • same-site: Falls back to token validation (e.g., subdomain to main domain)
  • cross-site: Blocked by default with 403 error for unsafe methods (POST, PUT, DELETE, PATCH)

For browsers that don't send this header (older browsers), the middleware seamlessly falls back to traditional token-based CSRF protection.

New Configuration Options:

  • TrustedOrigins []string: Allowlist specific origins for cross-site requests (useful for OAuth callbacks, webhooks)
  • AllowSecFetchSiteFunc func(echo.Context) (bool, error): Custom logic for same-site/cross-site request validation

Example:

e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
    // Allow OAuth callbacks from trusted provider
    TrustedOrigins: []string{"https://oauth-provider.com"},
// Custom validation for same-site requests
AllowSecFetchSiteFunc: func(c echo.Context) (bool, error) {
    // Your custom authorization logic here
    return validateCustomAuth(c), nil
    // return true, err  // blocks request with error
    // return true, nil  // allows CSRF request through
    // return false, nil // falls back to legacy token logic
},

}))

PR: labstack/echo#2858

Type-Safe Generic Parameter Binding

  • Added generic functions for type-safe parameter extraction and context access by @​aldas in labstack/echo#2856

    Echo now provides generic functions for extracting path, query, and form parameters with automatic type conversion,

... (truncated)

Commits
  • 482bb46 v4.15.0 changelog
  • d0f9d1e CRSF with Sec-Fetch-Site=same-site falls back to legacy token
  • f3fc618 CRSF with Sec-Fetch-Site checks
  • 4dcb9b4 licence headers
  • cbc0ac1 Add PathParam(Or)/QueryParam(Or)/FormParam(Or) generic functions
  • 6b14f4e Add Context.Get generic functions
  • 321530d disable test - returns different error under Windows
  • c8abd9f disable flaky test
  • 9fe43f7 fix Rate limiter disallows fractional rates
  • 1b5122a document things to reduce false positives
  • Additional commits viewable in compare view

Updates golang.org/x/oauth2 from 0.34.0 to 0.35.0

Commits

Updates google.golang.org/api from 0.258.0 to 0.269.0

Release notes

Sourced from google.golang.org/api's releases.

v0.269.0

0.269.0 (2026-02-24)

Features

Bug Fixes

  • generator: Handle preview version pkg name (#3511) (2a249ce)

v0.268.0

0.268.0 (2026-02-23)

Features

v0.267.0

0.267.0 (2026-02-17)

Features

v0.266.0

0.266.0 (2026-02-10)

Features

... (truncated)

Changelog

Sourced from google.golang.org/api's changelog.

0.269.0 (2026-02-24)

Features

Bug Fixes

  • generator: Handle preview version pkg name (#3511) (2a249ce)

0.268.0 (2026-02-23)

Features

0.267.0 (2026-02-17)

Features

0.266.0 (2026-02-10)

Features

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 1, 2026
@dependabot dependabot bot requested review from Nzt3-gh and nyson411 as code owners March 1, 2026 05:05
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Mar 1, 2026
@dependabot
⬆️ Bump the gomod-deps group across 1 directory with 5 updates
30b169b 
Bumps the gomod-deps group with 4 updates in the / directory: [github.com/arran4/golang-ical](https://github.com/arran4/golang-ical), [github.com/labstack/echo-contrib](https://github.com/labstack/echo-contrib), [golang.org/x/oauth2](https://github.com/golang/oauth2) and [google.golang.org/api](https://github.com/googleapis/google-api-go-client).


Updates `github.com/arran4/golang-ical` from 0.3.2 to 0.3.3
- [Release notes](https://github.com/arran4/golang-ical/releases)
- [Commits](arran4/golang-ical@v0.3.2...v0.3.3)

Updates `github.com/labstack/echo-contrib` from 0.17.4 to 0.50.1
- [Release notes](https://github.com/labstack/echo-contrib/releases)
- [Commits](labstack/echo-contrib@v0.17.4...v0.50.1)

Updates `github.com/labstack/echo/v4` from 4.14.0 to 4.15.0
- [Release notes](https://github.com/labstack/echo/releases)
- [Changelog](https://github.com/labstack/echo/blob/master/CHANGELOG.md)
- [Commits](labstack/echo@v4.14.0...v4.15.0)

Updates `golang.org/x/oauth2` from 0.34.0 to 0.35.0
- [Commits](golang/oauth2@v0.34.0...v0.35.0)

Updates `google.golang.org/api` from 0.258.0 to 0.269.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.258.0...v0.269.0)

---
updated-dependencies:
- dependency-name: github.com/arran4/golang-ical
  dependency-version: 0.3.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-deps
- dependency-name: github.com/labstack/echo-contrib
  dependency-version: 0.50.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-deps
- dependency-name: github.com/labstack/echo/v4
  dependency-version: 4.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-deps
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.35.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-deps
- dependency-name: google.golang.org/api
  dependency-version: 0.269.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/gomod-deps-52d998f28a branch from 1c8e33c to 30b169b Compare March 2, 2026 04:53
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Apr 1, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Apr 1, 2026
@dependabot dependabot bot deleted the dependabot/go_modules/gomod-deps-52d998f28a branch April 1, 2026 04:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Nzt3-gh Nzt3-gh Awaiting requested review from Nzt3-gh Nzt3-gh is a code owner

@nyson411 nyson411 Awaiting requested review from nyson411 nyson411 is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update Go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants